setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
References
Link | Resource |
---|---|
https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88 | Product |
https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b | Patch |
https://github.com/pypa/setuptools/issues/4946 | Exploit Issue Tracking |
https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf | Exploit Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html | Mailing List |
https://github.com/pypa/setuptools/issues/4946 | Exploit Issue Tracking |
Configurations
History
12 Jun 2025, 16:29
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:python:setuptools:*:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
First Time |
Python
Debian Debian debian Linux Python setuptools |
|
References | () https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88 - Product | |
References | () https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b - Patch | |
References | () https://github.com/pypa/setuptools/issues/4946 - Exploit, Issue Tracking | |
References | () https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf - Exploit, Vendor Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html - Mailing List |
28 May 2025, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
19 May 2025, 15:15
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/pypa/setuptools/issues/4946 - |
19 May 2025, 13:35
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
17 May 2025, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-05-17 16:15
Updated : 2025-06-12 16:29
NVD link : CVE-2025-47273
Mitre link : CVE-2025-47273
CVE.ORG link : CVE-2025-47273
JSON object : View
Products Affected
debian
- debian_linux
python
- setuptools
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')