Platform
python
Component
setuptools
Fixed in
78.1.2
78.1.1
CVE-2025-47273 identifies a remote code execution (RCE) vulnerability within the setuptools package, a crucial tool for Python package management. This flaw stems from a path traversal issue in the PackageIndex component, enabling unauthorized file writes. Versions of setuptools prior to 78.1.1 are affected, and upgrading to the patched version is the recommended remediation.
The path traversal vulnerability in setuptools allows an attacker to write files to arbitrary locations on the filesystem. This is particularly dangerous because the files are written with the permissions of the process running the Python code. In many deployment scenarios, this process will have elevated privileges, allowing the attacker to escalate their access and achieve remote code execution. Successful exploitation could lead to complete system compromise, data theft, or the installation of malicious software. The impact is amplified in environments where setuptools is used to install or update critical system components, as an attacker could inject malicious code into these components.
CVE-2025-47273 was publicly disclosed on 2025-05-17. There is currently no indication of active exploitation in the wild, but the RCE nature of the vulnerability and the widespread use of setuptools make it a high-priority concern. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are expected to emerge, increasing the risk of exploitation.
Exploit Status
EPSS
0.49% (65% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-47273 is to upgrade setuptools to version 78.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter file system access controls to limit the permissions of the Python process running setuptools. Additionally, review and restrict the directories accessible by setuptools. While not a complete solution, employing a Web Application Firewall (WAF) with rules to block suspicious file path manipulations can offer a layer of defense. After upgrading, verify the fix by attempting to install a package using a deliberately malformed path to confirm that the vulnerability is no longer exploitable.
Actualice setuptools a la versión 78.1.1 o superior. Puede hacerlo utilizando el gestor de paquetes pip con el comando `pip install --upgrade setuptools`. Esto corregirá la vulnerabilidad de path traversal.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-47273 is a Remote Code Execution vulnerability in setuptools versions prior to 78.1.1, allowing attackers to write files to arbitrary locations and potentially achieve remote code execution.
You are affected if you are using setuptools versions 9.1 or earlier. Upgrade to 78.1.1 or later to resolve the vulnerability.
Upgrade setuptools to version 78.1.1 or later using pip: python -m pip install --upgrade setuptools==78.1.1.
There is currently no confirmed active exploitation, but the vulnerability's severity and widespread use of setuptools make it a high-priority concern.
Refer to the setuptools project's release notes and security advisories on their official website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.