cbcvebase.
CVE-2025-47273
published 2025-05-17

CVE-2025-47273: setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex`…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.48%
70.7th percentile
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.

Affected

14 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiansetuptools< setuptools 66.1.1-1+deb12u2 (bookworm)setuptools 66.1.1-1+deb12u2 (bookworm)
msrcazl3_python-setuptools_69.0.3-5_on_azure_linux_3.0
msrcazl3_python-virtualenv_20.36.1-1_on_azure_linux_3.0
msrcazl3_python3_3.12.9-1_on_azure_linux_3.0
msrcazl3_tensorflow_2.16.1-9_on_azure_linux_3.0
msrccbl2_python-virtualenv_20.26.6-1_on_cbl_mariner_2.0
pypasetuptools< 78.1.178.1.1
pythonsetuptools< 78.1.178.1.1
pythonsetuptools>= 0 < 52.0.0-4+deb11u252.0.0-4+deb11u2
pythonsetuptools>= 0 < 66.1.1-1+deb12u266.1.1-1+deb12u2
pythonsetuptools>= 0 < 78.1.1-0.178.1.1-0.1
pythonsetuptools>= 0 < 78.1.1-0.178.1.1-0.1
pythonsetuptools>= 0 < 78.1.178.1.1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability exists in the `PackageIndex` component of setuptools — specifically the `PackageIndex.download()` function. Monitor for invocations of this function with path traversal sequences (e.g., `../`) in package download URLs that could result in file writes outside the intended temporary directory.
  • Exploitation requires triggering the vulnerable `PackageIndex.download()` function — monitor scripts, plugins, or automated jobs that invoke this function in Python environments running setuptools < 78.1.1.
  • The attack vector involves manipulating package download URLs to bypass filename sanitization and write files outside the intended temporary directory. Inspect URLs passed to PackageIndex for path traversal patterns.
  • Audit filesystem writes by Python processes to locations outside expected package installation directories, especially in automated package handling or internal tooling environments using setuptools.
  • ·The vulnerability is only exploitable in setuptools versions prior to 78.1.1. Environments running 78.1.1 or later are not affected. Debian bookworm is fixed in 66.1.1-1+deb12u2 and bullseye in 52.0.0-4+deb11u2 via backported patches.
  • ·Exploitation requires at minimum limited code execution access to a Python environment — a completely unprivileged user with no access cannot exploit this vulnerability.
  • ·The vulnerability only allows creation of new files, not reading or overwriting existing ones directly — however, arbitrary file writes can still overwrite critical config files, executables, or scripts leading to persistent code execution.
  • ·The vulnerability does not cross trust boundaries (e.g., container-to-container or user-to-kernel); impact is confined to the same security boundary as the running process.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.7HIGH
vendor_msrc8.8HIGH
vendor_debian7.7HIGH
vendor_redhat7.7HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.