{"id":"PYSEC-2025-49","details":"setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.","aliases":["BIT-setuptools-2025-47273","CVE-2025-47273","GHSA-5rjg-fvgr-3xxf"],"modified":"2025-06-13T06:59:23.470501Z","published":"2025-05-17T16:15:19Z","references":[{"type":"EVIDENCE","url":"https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html"},{"type":"REPORT","url":"https://github.com/pypa/setuptools/issues/4946"},{"type":"FIX","url":"https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b"},{"type":"WEB","url":"https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88"}],"affected":[{"package":{"name":"setuptools","ecosystem":"PyPI","purl":"pkg:pypi/setuptools"},"ranges":[{"type":"GIT","repo":"https://github.com/pypa/setuptools","events":[{"introduced":"0"},{"fixed":"250a6d17978f9f6ac3ac887091f2d32886fbbb0b"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"78.1.1"}]}],"versions":["0.6b1","0.6b2","0.6b3","0.6b4","0.6c1","0.6c10","0.6c11","0.6c2","0.6c3","0.6c4","0.6c5","0.6c6","0.6c7","0.6c8","0.6c9","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.7.7","0.7.8","0.8","0.9","0.9.1","0.9.2","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8","1.0","1.1","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.7","1.2","1.3","1.3.1","1.3.2","1.4","1.4.1","1.4.2","10.0","10.0.1","10.1","10.2","10.2.1","11.0","11.1","11.2","11.3","11.3.1","12.0","12.0.1","12.0.2","12.0.3","12.0.4","12.0.5","12.1","12.2","12.3","12.4","13.0","13.0.1","13.0.2","14.0","14.1","14.1.1","14.2","14.3","14.3.1","15.0","15.1","15.2","16.0","17.0","17.1","17.1.1","18.0","18.0.1","18.1","18.2","18.3","18.3.1","18.3.2","18.4","18.5","18.6","18.6.1","18.7","18.7.1","18.8","18.8.1","19.0","19.1","19.1.1","19.2","19.3","19.4","19.4.1","19.5","19.6","19.6.1","19.6.2","19.7","2.0","2.0.1","2.0.2","2.1","2.1.1","2.1.2","2.2","20.0","20.1","20.1.1","20.10.1","20.2.2","20.3","20.3.1","20.4","20.6.6","20.6.7","20.6.8","20.7.0","20.8.0","20.8.1","20.9.0","21.0.0","21.1.0","21.2.0","21.2.1","21.2.2","22.0.0","22.0.1","22.0.2","22.0.4","22.0.5","23.0.0","23.1.0","23.2.0","23.2.1","24.0.0","24.0.1","24.0.2","24.0.3","24.1.0","24.1.1","24.2.0","24.2.1","24.3.0","24.3.1","25.0.0","25.0.1","25.0.2","25.1.0","25.1.1","25.1.2","25.1.3","25.1.4","25.1.5","25.1.6","25.2.0","25.3.0","25.4.0","26.0.0","26.1.0","26.1.1","27.0.0","27.1.0","27.1.2","27.2.0","27.3.0","27.3.1","28.0.0","28.1.0","28.2.0","28.3.0","28.4.0","28.5.0","28.6.0","28.6.1","28.7.0","28.7.1","28.8.0","28.8.1","29.0.0","29.0.1","3.0","3.0.1","3.0.2","3.1","3.2","3.3","3.4","3.4.1","3.4.2","3.4.3","3.4.4","3.5","3.5.1","3.5.2","3.6","3.7","3.7.1","3.8","3.8.1","30.0.0","30.1.0","30.2.0","30.2.1","30.3.0","30.4.0","31.0.0","31.0.1","32.0.0","32.1.0","32.1.1","32.1.2","32.1.3","32.2.0","32.3.0","32.3.1","33.1.0","33.1.1","34.0.0","34.0.1","34.0.2","34.0.3","34.1.0","34.1.1","34.2.0","34.3.0","34.3.1","34.3.2","34.3.3","34.4.0","34.4.1","35.0.0","35.0.1","35.0.2","36.0.1","36.1.0","36.1.1","36.2.0","36.2.1","36.2.2","36.2.3","36.2.4","36.2.5","36.2.6","36.2.7","36.3.0","36.4.0","36.5.0","36.6.0","36.6.1","36.7.0","36.7.1","36.7.2","36.8.0","37.0.0","38.0.0","38.1.0","38.2.0","38.2.1","38.2.3","38.2.4","38.2.5","38.3.0","38.4.0","38.4.1","38.5.0","38.5.1","38.5.2","38.6.0","38.6.1","38.7.0","39.0.0","39.0.1","39.1.0","39.2.0","4.0","4.0.1","40.0.0","40.1.0","40.1.1","40.2.0","40.3.0","40.4.0","40.4.1","40.4.2","40.4.3","40.5.0","40.6.0","40.6.1","40.6.2","40.6.3","40.7.0","40.7.1","40.7.2","40.7.3","40.8.0","40.9.0","41.0.0","41.0.1","41.1.0","41.2.0","41.3.0","41.4.0","41.5.0","41.5.1","41.6.0","42.0.0","42.0.1","42.0.2","43.0.0","44.0.0","44.1.0","44.1.1","45.0.0","45.1.0","45.2.0","45.3.0","46.0.0","46.1.0","46.1.1","46.1.2","46.1.3","46.2.0","46.3.0","46.3.1","46.4.0","47.0.0","47.1.0","47.1.1","47.2.0","47.3.0","47.3.1","47.3.2","48.0.0","49.0.0","49.0.1","49.1.0","49.1.1","49.1.2","49.1.3","49.2.0","49.2.1","49.3.0","49.3.1","49.3.2","49.4.0","49.5.0","49.6.0","5.0","5.0.1","5.0.2","5.1","5.2","5.3","5.4","5.4.1","5.4.2","5.5","5.5.1","5.6","5.7","5.8","50.0.0","50.0.1","50.0.2","50.0.3","50.1.0","50.2.0","50.3.0","50.3.1","50.3.2","51.0.0","51.1.0","51.1.0.post20201221","51.1.1","51.1.2","51.2.0","51.3.0","51.3.1","51.3.2","51.3.3","52.0.0","53.0.0","53.1.0","54.0.0","54.1.0","54.1.1","54.1.2","54.1.3","54.2.0","56.0.0","56.1.0","56.2.0","57.0.0","57.1.0","57.2.0","57.3.0","57.4.0","57.5.0","58.0.0","58.0.1","58.0.2","58.0.3","58.0.4","58.1.0","58.2.0","58.3.0","58.4.0","58.5.0","58.5.1","58.5.2","58.5.3","59.0.1","59.1.0","59.1.1","59.2.0","59.3.0","59.4.0","59.5.0","59.6.0","59.7.0","59.8.0","6.0.1","6.0.2","6.1","60.0.0","60.0.1","60.0.2","60.0.3","60.0.4","60.0.5","60.1.0","60.1.1","60.10.0","60.2.0","60.3.0","60.3.1","60.4.0","60.5.0","60.6.0","60.7.0","60.7.1","60.8.0","60.8.1","60.8.2","60.9.0","60.9.1","60.9.2","60.9.3","61.0.0","61.1.0","61.1.1","61.2.0","61.3.0","61.3.1","62.0.0","62.1.0","62.2.0","62.3.0","62.3.1","62.3.2","62.3.3","62.3.4","62.4.0","62.5.0","62.6.0","63.0.0","63.0.0b1","63.1.0","63.2.0","63.3.0","63.4.0","63.4.1","63.4.2","63.4.3","64.0.0","64.0.1","64.0.2","64.0.3","65.0.0","65.0.1","65.0.2","65.1.0","65.1.1","65.2.0","65.3.0","65.4.0","65.4.1","65.5.0","65.5.1","65.6.0","65.6.1","65.6.2","65.6.3","65.7.0","66.0.0","66.1.0","66.1.1","67.0.0","67.1.0","67.2.0","67.3.1","67.3.2","67.3.3","67.4.0","67.5.0","67.5.1","67.6.0","67.6.1","67.7.0","67.7.1","67.7.2","67.8.0","68.0.0","68.1.0","68.1.2","68.2.0","68.2.1","68.2.2","69.0.0","69.0.1","69.0.2","69.0.3","69.1.0","69.1.1","69.2.0","69.3.0","69.3.1","69.4.0","69.4.1","69.4.2","69.5.0","69.5.1","7.0","70.0.0","70.1.0","70.1.1","70.2.0","70.3.0","71.0.0","71.0.1","71.0.2","71.0.3","71.0.4","71.1.0","72.0.0","72.1.0","72.2.0","73.0.0","73.0.1","74.0.0","74.1.0","74.1.1","74.1.2","74.1.3","75.0.0","75.1.0","75.2.0","75.3.0","75.3.1","75.3.2","75.4.0","75.5.0","75.6.0","75.7.0","75.8.0","75.8.1","75.8.2","75.9.0","75.9.1","76.0.0","76.1.0","77.0.1","77.0.3","78.0.1","78.0.2","78.1.0","8.0","8.0.1","8.0.2","8.0.3","8.0.4","8.1","8.2","8.2.1","8.3","9.0","9.0.1","9.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/setuptools/PYSEC-2025-49.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}