CVE-2025-47273

Aliases:GHSA-5rjg-fvgr-3xxfBIT-setuptools-2025-47273PYSEC-2025-49ECHO-2d75-a206-3684

Advisory lineage Upstream: 0 Downstream: 48

Downstream

DEBIAN-CVE-2025-47273 DLA-4183-1 MGASA-2025-0288 OPENSUSE-SU-2026:10539-1 RHSA-2025:10407 RHSA-2025:11036

Analyzed

Published: 17 May 2025, 15:46

Last modified:28 May 2025, 15:03

Vulnerability Summary

Overall Risk (default)

medium

45/100

CVSS Score

8.8 HIGH

v3.1 (nvd)

EPSS Score

0.12% LOW

0% probability -0.06%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

17 May 2025, 15:46

Published

Vulnerability first disclosed

28 May 2025, 15:03

Last Modified

Vulnerability information updated

Description

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.

CVSS Metrics

v4.0•HIGH•Score: 7.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
v4.0•HIGH•Score: 7.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.12%• Percentile: 31%

Techniques & Countermeasures

CWE-22•Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Systems

debian•debian_linux
11.0
pypa•setuptools
< 78.1.1
PyPI•setuptools
< 78.1.1 | < 250a6d17978f9f6ac3ac887091f2d32886fbbb0b
python•setuptools
< 78.1.1