Vulnerability Description
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Setuptools | < 78.1.1 |
| Debian | Debian Linux | 11.0 |
Related Weaknesses (CWE)
References
- https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558Product
- https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbbPatch
- https://github.com/pypa/setuptools/issues/4946ExploitIssue Tracking
- https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxfExploitVendor Advisory
- https://lists.debian.org/debian-lts-announce/2025/05/msg00035.htmlMailing List
- https://github.com/pypa/setuptools/issues/4946ExploitIssue Tracking
FAQ
What is CVE-2025-47273?
CVE-2025-47273 is a vulnerability with a CVSS score of 8.8 (HIGH). setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to versio...
How severe is CVE-2025-47273?
CVE-2025-47273 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-47273?
Check the references section above for vendor advisories and patch information. Affected products include: Python Setuptools, Debian Debian Linux.