GHSA-94v7-wxj6-r2q5: multicast in source builds from vulnerable setuptools dependency
- Some source-builds may be impacted by a CWE-1395 (eg. vulnerable
setuptoolsdependency). - Multicast prior to v2.0.9a3 on systems with minimal dependancies installed may use
setuptools <78.1.1and thus rely on a compromised dependency. In some cases there is a chance that source-builds would fail due to an exploit of the closely related CVE-2025-47273, or become arbitrarily modified.
References
- github.com/advisories/GHSA-94v7-wxj6-r2q5
- github.com/pypa/setuptools/issues/4946
- github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf
- github.com/reactive-firewall/multicast
- github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/docs/requirements.txt
- github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/pyproject.toml
- github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/requirements.txt
- github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/tests/requirements.txt
- github.com/reactive-firewall/multicast/commit/c5c7c7de272421d944beca8452871bca6bfd151f
- github.com/reactive-firewall/multicast/security/advisories/GHSA-94v7-wxj6-r2q5
Code Behaviors & Features
Detect and mitigate GHSA-94v7-wxj6-r2q5 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →