CVE-2025-47273: setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
(updated )
A path traversal vulnerability in PackageIndex was fixed in setuptools version 78.1.1
References
- github.com/advisories/GHSA-5rjg-fvgr-3xxf
- github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2025-49.yaml
- github.com/pypa/setuptools
- github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py
- github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b
- github.com/pypa/setuptools/issues/4946
- github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf
- lists.debian.org/debian-lts-announce/2025/05/msg00035.html
- nvd.nist.gov/vuln/detail/CVE-2025-47273
Code Behaviors & Features
Detect and mitigate CVE-2025-47273 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →