CVE-2025-47273Path Traversal in Setuptools

CWE-22Path Traversal9 documents7 sources
Severity
7.7HIGHNVD
EPSS
0.5%
top 34.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Pypa SetuptoolsPython SetuptoolsDebian Setuptools+6 more
Timeline
PublishedMay 17
Latest updateFeb 4

Description

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages10 packages

NVDpython/setuptools< 78.1.1
PyPIpython/setuptools< 78.1.1
Debianpython/setuptools< 52.0.0-4+deb11u2+3
CVEListV5pypa/setuptools< 78.1.1

Also affects: Debian Linux 11.0

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write2025-05-19
GHSA
setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write2025-05-19
OSV
CVE-2025-47273: setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages2025-05-17

📋Vendor Advisories

5
Ubuntu
pip vulnerabilities2026-02-04
Ubuntu
Setuptools vulnerability2025-05-28
Red Hat
setuptools: Path Traversal Vulnerability in setuptools PackageIndex2025-05-17
Microsoft
setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write2025-05-13
Debian
CVE-2025-47273: setuptools - setuptools is a package that allows users to download, build, install, upgrade, ...2025
CVE-2025-47273 — Path Traversal in Pypa Setuptools | cvebase