setuptools
Behoben in
78.1.2
78.1.1
CVE-2025-47273 describes a remote code execution (RCE) vulnerability within the setuptools package, a crucial tool for Python package management. This flaw stems from a path traversal issue in the PackageIndex component, allowing attackers to write files to arbitrary locations on the filesystem. Versions of setuptools prior to 78.1.1 are affected, and upgrading to the patched version is the recommended solution.
The path traversal vulnerability in setuptools allows an attacker to manipulate file paths during package installation or updates. By crafting malicious package index data, an attacker can trick setuptools into writing files outside of the intended directories. This can lead to arbitrary code execution if the attacker can place a malicious script in a location where it will be executed by a privileged process. The potential impact is significant, as successful exploitation could grant an attacker complete control over the affected system. This is particularly concerning in automated build environments or systems where setuptools is used to manage dependencies.
This vulnerability was publicly disclosed on 2025-05-17. No public proof-of-concept (PoC) code has been released as of this writing, but the path traversal nature of the vulnerability suggests that a PoC could be developed relatively easily. The vulnerability is not currently listed on the CISA KEV catalog. Given the potential for remote code execution and the ease of exploitation, it is considered a high-priority vulnerability.
Development environments utilizing Python and setuptools are at risk. Continuous integration/continuous deployment (CI/CD) pipelines that automatically install Python packages are particularly vulnerable, as they could be exploited to inject malicious code into deployed applications. Organizations using custom Python scripts or tools that rely on setuptools for package management should also prioritize remediation.
• python / package-manager:
Get-Package -Name setuptools | Select-Object Version• python / package-manager:
python -m pip show setuptools• generic web: Check for unusual files or directories created during package installation or upgrade processes. Monitor system logs for suspicious file access attempts. • generic web: Review Python scripts for calls to setuptools functions that handle file paths, looking for potential path traversal vulnerabilities.
disclosure
Exploit-Status
EPSS
0.49% (65% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-47273 is to upgrade setuptools to version 78.1.1 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter file system permissions to limit the impact of a potential exploit. Review and restrict the directories where setuptools is allowed to write files. Implement input validation on package index data to prevent path traversal attempts. Monitor system logs for unusual file creation activity in unexpected locations. After upgrading, confirm the fix by attempting to install a package with a deliberately crafted, but harmless, path traversal payload to ensure the vulnerability is no longer exploitable.
Actualice setuptools a la versión 78.1.1 o superior. Puede hacerlo utilizando el gestor de paquetes pip con el comando `pip install --upgrade setuptools`. Esto corregirá la vulnerabilidad de path traversal.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-47273 is a Remote Code Execution vulnerability in setuptools versions prior to 78.1.1, allowing attackers to write files to arbitrary locations and potentially achieve remote code execution.
You are affected if you are using setuptools versions 9.1 or earlier. Upgrade to 78.1.1 or later to resolve the vulnerability.
Upgrade setuptools to version 78.1.1 or later using pip: python -m pip install --upgrade setuptools==78.1.1.
There is currently no confirmed active exploitation, but the vulnerability's severity and widespread use of setuptools make it a high-priority concern.
Refer to the setuptools project's release notes and security advisories on their official website or GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.