CVE-2025-47273

17.05.2025, 16:15

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 28%

Vendor	Product	Version
python	setuptools	𝑥 < 78.1.1
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

setuptools

bullseye	vulnerable
bookworm	no-dsa
bullseye (security)	52.0.0-4+deb11u2 fixed
trixie	78.1.1-0.1 fixed
sid	78.1.1-0.1 fixed

Known Exploits!

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Vulnerability Media Exposure

[GERMAN] Red Hat Enterprise Linux (python-setuptools): Schwachstelle ermöglicht Codeausführung
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Red Hat Enterprise Linux ausnutzen, um beliebigen Programmcode auszuführen.
Published: 2025-06-30T22:00:00+00:00

References

https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88

https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b

https://github.com/pypa/setuptools/issues/4946

https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf

https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html

https://github.com/pypa/setuptools/issues/4946