BIT-setuptools-2025-47273
Path Traversal vulnerability in setuptools (PyPI)
What is BIT-setuptools-2025-47273 About?
This vulnerability in setuptools, specifically in `PackageIndex` prior to version 78.1.1, allows for path traversal. An attacker can write files to arbitrary locations on the filesystem with the permissions of the process running Python code, potentially leading to remote code execution. Exploitation requires providing a maliciously crafted package or index, making it moderately easy to leverage in certain scenarios.
Affected Software
- setuptools
- <250a6d17978f9f6ac3ac887091f2d32886fbbb0b
- <78.1.1
Technical Details
The vulnerability is a 'Path Traversal' in the setuptools package, affecting versions prior to 78.1.1. It specifically resides within the PackageIndex component. When processing package metadata or during package installation, if PackageIndex handles a specially crafted input (e.g., a malicious package archive or an index controlling file paths), an attacker can use directory traversal sequences (e.g., ../, ..\) within file paths. This allows the attacker to write files not only within the intended package installation directory but also to arbitrary locations on the filesystem. The impact escalates to remote code execution (RCE) if the attacker can overwrite critical system files or inject executable code into directories that are later executed by the Python process or other system components, inheriting the permissions of the process running Python.
What is the Impact of BIT-setuptools-2025-47273?
Successful exploitation may allow attackers to write arbitrary files to the filesystem, leading to privilege escalation, arbitrary code execution, or system compromise.
What is the Exploitability of BIT-setuptools-2025-47273?
Exploitation typically involves providing a specially crafted Python package or a malicious package index that setuptools will parse. The complexity is moderate, requiring the attacker to understand how setuptools processes package file paths. There are no explicit authentication requirements, as the attack vectors involve supplying a malicious package to a system that uses setuptools (e.g., a CI/CD pipeline, a build system, or direct user installation). The attack is effectively remote if the malicious package is downloaded from a repository. The primary prerequisite is that the system processes untrusted packages or package metadata using a vulnerable version of setuptools. Risk factors increase if an organization builds or installs packages from untrusted sources or if users frequently install packages without proper validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-setuptools-2025-47273?
Available Upgrade Options
- setuptools
- <78.1.1 → Upgrade to 78.1.1
- setuptools
- <250a6d17978f9f6ac3ac887091f2d32886fbbb0b → Upgrade to 250a6d17978f9f6ac3ac887091f2d32886fbbb0b
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html
- https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88
- https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88
- https://github.com/pypa/setuptools/issues/4946
- https://osv.dev/vulnerability/PYSEC-2025-49
- https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf
- https://osv.dev/vulnerability/GHSA-5rjg-fvgr-3xxf
- https://github.com/pypa/setuptools
What are Similar Vulnerabilities to BIT-setuptools-2025-47273?
Similar Vulnerabilities: CVE-2023-45136 , CVE-2022-24765 , CVE-2021-4190 , CVE-2020-19273 , CVE-2019-15065
