CVE-2025-47273
published 2025-05-17CVE-2025-47273: setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex`…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.48%
70.7th percentile
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | setuptools | < setuptools 66.1.1-1+deb12u2 (bookworm) | setuptools 66.1.1-1+deb12u2 (bookworm) |
| msrc | azl3_python-setuptools_69.0.3-5_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-virtualenv_20.36.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python3_3.12.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_python-virtualenv_20.26.6-1_on_cbl_mariner_2.0 | — | — |
| pypa | setuptools | < 78.1.1 | 78.1.1 |
| python | setuptools | < 78.1.1 | 78.1.1 |
| python | setuptools | >= 0 < 52.0.0-4+deb11u2 | 52.0.0-4+deb11u2 |
| python | setuptools | >= 0 < 66.1.1-1+deb12u2 | 66.1.1-1+deb12u2 |
| python | setuptools | >= 0 < 78.1.1-0.1 | 78.1.1-0.1 |
| python | setuptools | >= 0 < 78.1.1-0.1 | 78.1.1-0.1 |
| python | setuptools | >= 0 < 78.1.1 | 78.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability exists in the `PackageIndex` component of setuptools — specifically the `PackageIndex.download()` function. Monitor for invocations of this function with path traversal sequences (e.g., `../`) in package download URLs that could result in file writes outside the intended temporary directory. ↗
- →Exploitation requires triggering the vulnerable `PackageIndex.download()` function — monitor scripts, plugins, or automated jobs that invoke this function in Python environments running setuptools < 78.1.1. ↗
- →The attack vector involves manipulating package download URLs to bypass filename sanitization and write files outside the intended temporary directory. Inspect URLs passed to PackageIndex for path traversal patterns. ↗
- →Audit filesystem writes by Python processes to locations outside expected package installation directories, especially in automated package handling or internal tooling environments using setuptools. ↗
- ·The vulnerability is only exploitable in setuptools versions prior to 78.1.1. Environments running 78.1.1 or later are not affected. Debian bookworm is fixed in 66.1.1-1+deb12u2 and bullseye in 52.0.0-4+deb11u2 via backported patches. ↗
- ·Exploitation requires at minimum limited code execution access to a Python environment — a completely unprivileged user with no access cannot exploit this vulnerability. ↗
- ·The vulnerability only allows creation of new files, not reading or overwriting existing ones directly — however, arbitrary file writes can still overwrite critical config files, executables, or scripts leading to persistent code execution. ↗
- ·The vulnerability does not cross trust boundaries (e.g., container-to-container or user-to-kernel); impact is confined to the same security boundary as the running process. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.7HIGH
vendor_msrc8.8HIGH
vendor_debian7.7HIGH
vendor_redhat7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
pip vulnerabilities
vendor_ubuntu·2026-02-04
CVE-2025-66418 pip vulnerabilities
Title: pip vulnerabilities
Summary: Several security issues were fixed in pip.
Several security issues were discovered in the libraries bundled in pip. An
attacker could possibly use these issues to perform a variety of attacks,
such as denial of service or arbitrary code execution.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Setuptools vulnerability
vendor_ubuntu·2025-05-28
CVE-2025-47273 Setuptools vulnerability
Title: Setuptools vulnerability
Summary: Setuptools could be made to write files to arbitrary locations on the filesystem.
It was discovered that setuptools did not properly sanitize paths. An
attacker could possibly use this issue to write files to arbitrary
locations on the filesystem.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
setuptools: Path Traversal Vulnerability in setuptools PackageIndex
vendor_redhat·2025-05-17·CVSS 7.7
CVE-2025-47273 [HIGH] CWE-22 setuptools: Path Traversal Vulnerability in setuptools PackageIndex
setuptools: Path Traversal Vulnerability in setuptools PackageIndex
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
A path traversal vulnerability in the Python setuptools library allows attackers with limited system access to write files outside the intended temporary directory by manipulating package download URLs. This flaw bypasses basic filename sanitization and can lead to unau
Microsoft
setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
vendor_msrc·2025-05-13·CVSS 8.8
CVE-2025-47273 [HIGH] CWE-22 setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Rem
Debian
CVE-2025-47273: setuptools - setuptools is a package that allows users to download, build, install, upgrade, ...
vendor_debian·2025·CVSS 7.7
CVE-2025-47273 [HIGH] CVE-2025-47273: setuptools - setuptools is a package that allows users to download, build, install, upgrade, ...
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
Scope: local
bookworm: resolved (fixed in 66.1.1-1+deb12u2)
bullseye: resolved (fixed in 52.0.0-4+deb11u2)
forky: resolved (fixed in 78.1.1-0.1)
sid: resolved (fixed in 78.1.1-0.1)
trixie: resolved (fixed in 78.1.1-0.1)
OSV
setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
osv·2025-05-19
CVE-2025-47273 [HIGH] setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
### Summary
A path traversal vulnerability in `PackageIndex` was fixed in setuptools version 78.1.1
### Details
```
def _download_url(self, url, tmpdir):
# Determine download filename
#
name, _fragment = egg_info_for_url(url)
if name:
while '..' in name:
name = name.replace('..', '.').replace('\\', '_')
else:
name = "__downloaded__" # default if URL has no path contents
if name.endswith('.[egg.zip](http://egg.zip/)'):
name = name[:-4] # strip the extra .zip before download
--> filename = os.path.join(tmpdir, name)
```
Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88
`os.path.join()` discards the firs
GHSA
setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
ghsa·2025-05-19
CVE-2025-47273 [HIGH] CWE-22 setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
### Summary
A path traversal vulnerability in `PackageIndex` was fixed in setuptools version 78.1.1
### Details
```
def _download_url(self, url, tmpdir):
# Determine download filename
#
name, _fragment = egg_info_for_url(url)
if name:
while '..' in name:
name = name.replace('..', '.').replace('\\', '_')
else:
name = "__downloaded__" # default if URL has no path contents
if name.endswith('.[egg.zip](http://egg.zip/)'):
name = name[:-4] # strip the extra .zip before download
--> filename = os.path.join(tmpdir, name)
```
Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88
`os.path.join()` discards the firs
OSV
CVE-2025-47273: setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages
osv·2025-05-17·CVSS 7.7
CVE-2025-47273 [HIGH] CVE-2025-47273: setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-47273 python3.6: Path Traversal Vulnerability in setuptools PackageIndex [fedora-42]
bugzilla·2025-06-13·CVSS 7.7
CVE-2025-47273 [HIGH] CVE-2025-47273 python3.6: Path Traversal Vulnerability in setuptools PackageIndex [fedora-42]
CVE-2025-47273 python3.6: Path Traversal Vulnerability in setuptools PackageIndex [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2366982
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
We (python-main) decided not to proactively fix CVEs that are not present or requested to be fixed in RHEL for EOL Python interpreters that are in Fedora only for testing purposes.
---
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2
Bugzilla
CVE-2025-47273 setuptools: Path Traversal Vulnerability in setuptools PackageIndex
bugzilla·2025-05-17·CVSS 7.7
CVE-2025-47273 [HIGH] CVE-2025-47273 setuptools: Path Traversal Vulnerability in setuptools PackageIndex
CVE-2025-47273 setuptools: Path Traversal Vulnerability in setuptools PackageIndex
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2025:9940 https://access.redhat.com/errata/RHSA-2025:9940
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux
https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0bhttps://github.com/pypa/setuptools/issues/4946https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxfhttps://lists.debian.org/debian-lts-announce/2025/05/msg00035.htmlhttps://github.com/pypa/setuptools/issues/4946
2025-05-17
Published