CVE-2025-47273

Public Exploit

setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write

Description

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.

References

Link	Tags
https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf	exploit vendor advisory
https://github.com/pypa/setuptools/issues/4946	exploit issue tracking
https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b	patch
https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88	product
https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html	mailing list

Frequently Asked Questions

What is the severity of CVE-2025-47273?: CVE-2025-47273 has been scored as a high severity vulnerability.
How to fix CVE-2025-47273?: To fix CVE-2025-47273, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-47273 being actively exploited in the wild?: It is possible that CVE-2025-47273 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-47273?: CVE-2025-47273 affects pypa setuptools.

Description

Category

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions