CVE-2024-6345

Aliases:GHSA-cx63-2mw6-8hw5BIT-setuptools-2024-6345

Advisory lineage Upstream: 0 Downstream: 50

Downstream

ALPINE-CVE-2024-6345 DEBIAN-CVE-2024-6345 DLA-3876-1 MGASA-2025-0056 OPENSUSE-SU-2024:14294-1 RHSA-2024:5000

Deferred

Published: 15 Jul 2024, 00:00

Last modified:04 Nov 2025, 16:15

Vulnerability Summary

Overall Risk (default)

medium

37/100

CVSS Score

8.8 HIGH

v3.0 (cve.org)

EPSS Score

7.52% LOW

8% probability +0.98%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

15 Jul 2024, 00:00

Published

Vulnerability first disclosed

04 Nov 2025, 16:15

Last Modified

Vulnerability information updated

Description

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

CVSS Metrics

v4.0•HIGH•Score: 7.5CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
v3.0•HIGH•Score: 8.8CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 7.52%• Percentile: 92%

Techniques & Countermeasures

CWE-94•Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Affected Systems

pypa•pypa/setuptools
≥ unspecified, < 70.0
PyPI•setuptools
< 70.0.0