1. Home
  2. Vulnerabilities
  3. CVE-2025-47273
8.8
HIGH CVSS 3.1
CVE-2025-47273
setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
Overview
Description

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.

Details
INFO

Published Date :

May 17, 2025, 4:15 p.m.

Last Modified :

June 12, 2025, 4:29 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
Impact
Affected Products

The following products are affected by CVE-2025-47273 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Debian debian_linux
1 Python setuptools
: Total Affected Vendor : 2 | Products : 2
Scoring
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH [email protected]
CVSS 4.0 HIGH [email protected]
Solution
Update setuptools to version 78.1.1 to fix path traversal vulnerability.
  • Update setuptools to version 78.1.1 or later.
  • Ensure the affected Python process runs with minimal privileges.
Public PoC/Exploit Available at Github

CVE-2025-47273 has a 27 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-47273.

URL Resource
https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88 Product
https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b Patch
https://github.com/pypa/setuptools/issues/4946 Exploit Issue Tracking
https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf Exploit Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html Mailing List
https://github.com/pypa/setuptools/issues/4946 Exploit Issue Tracking
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-47273 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-47273 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
InzegoSec/CVE-2024-25081_2025-47273

An exploit for vulnerable versions of fontforge and setuptools plus a practical example.

cve cybersecurity exploit

Python

Updated: 5 days, 8 hours ago
0 stars 0 fork 0 watcher
Born at : March 19, 2026, 12:30 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
itszarmaull/VariaType-Writeup-HTB

"Step-by-step exploitation guide for HTB VariaType machine. Featuring Nmap scans, web enumeration with ffuf, and custom .sfd font exploit payloads for reverse shell access."

Updated: 1 week ago
0 stars 0 fork 0 watcher
Born at : March 17, 2026, 4:58 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
ahmedreda38/CVE-2025-47273-PoC

CVE-2025-47273 is a high-severity path traversal vulnerability in the setuptools library ,specifically version 78.1.0 .

Python

Updated: 1 week, 2 days ago
0 stars 0 fork 0 watcher
Born at : March 15, 2026, 11:03 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
AliElKhatteb/CVE-2025-47273-POC

CVE-2025-47273 — setuptools path traversal PoC

Updated: 4 days, 15 hours ago
1 stars 0 fork 0 watcher
Born at : March 15, 2026, 9:08 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
OlegKarenkikh/elasticsearch-curator-secure

Elasticsearch Curator container build with CVE-free security scanning via Trivy

Shell Dockerfile Makefile

Updated: 1 day, 4 hours ago
0 stars 0 fork 0 watcher
Born at : March 10, 2026, 9 a.m. This repo has been linked 10 different CVEs too.
Profile Photo
BrandonToddJackson/nexus-notarized-ai-execution

None

Python Dockerfile Makefile HTML JavaScript CSS Go Template Mako TypeScript

Updated: 3 weeks, 4 days ago
0 stars 0 fork 0 watcher
Born at : Feb. 21, 2026, 6:15 p.m. This repo has been linked 5 different CVEs too.
Profile Photo
KSetho/wazuh-soc-incident-report

None

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : Feb. 20, 2026, 12:26 p.m. This repo has been linked 9 different CVEs too.
Profile Photo
Backline-playground/vdr-python-test

Test repo for VDR OSV fallback testing (Python/pip)

Python

Updated: 1 month, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : Feb. 2, 2026, 9:51 a.m. This repo has been linked 5 different CVEs too.
Profile Photo
nrjain1997/python-security-test

None

Python

Updated: 3 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Dec. 12, 2025, 11:52 a.m. This repo has been linked 5 different CVEs too.
Profile Photo
tim-gowan/python-security-benchmark

Code to test SAST and SCA Reachability

Python

Updated: 3 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Dec. 9, 2025, 8:29 p.m. This repo has been linked 5 different CVEs too.
Profile Photo
megawron/DevSecOps-Showcase

None

Dockerfile Python HCL

Updated: 4 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Nov. 10, 2025, 5:08 p.m. This repo has been linked 9 different CVEs too.
Profile Photo
MyCompanyOrganization/exploint

Go CLI tool for vulnerability exploitability analysis with AI-powered enrichment

Python Dockerfile Go

Updated: 4 months, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : Nov. 2, 2025, 6:23 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
Vincent9956/Container-Security

Standalone Container Security Tests

Updated: 5 months ago
0 stars 0 fork 0 watcher
Born at : Oct. 21, 2025, 11:33 a.m. This repo has been linked 81 different CVEs too.
Profile Photo
marSanGal/health-check-backend

None

Dockerfile Makefile Python

Updated: 5 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : Oct. 6, 2025, 11:52 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
CKA-codespace/cg-compare

None

Dockerfile

Updated: 6 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Sept. 15, 2025, 1:14 p.m. This repo has been linked 30 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-47273 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-47273 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Jun. 12, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Added CPE Configuration OR *cpe:2.3:a:python:setuptools:*:*:*:*:*:*:*:* versions up to (excluding) 78.1.1
    Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
    Added Reference Type GitHub, Inc.: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88 Types: Product
    Added Reference Type GitHub, Inc.: https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b Types: Patch
    Added Reference Type CISA-ADP: https://github.com/pypa/setuptools/issues/4946 Types: Exploit, Issue Tracking
    Added Reference Type GitHub, Inc.: https://github.com/pypa/setuptools/issues/4946 Types: Exploit, Issue Tracking
    Added Reference Type GitHub, Inc.: https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf Types: Exploit, Vendor Advisory
    Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html Types: Mailing List
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    May. 28, 2025

    Action Type Old Value New Value
    Added Reference https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    May. 19, 2025

    Action Type Old Value New Value
    Added Reference https://github.com/pypa/setuptools/issues/4946
  • New CVE Received by [email protected]

    May. 17, 2025

    Action Type Old Value New Value
    Added Description setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
    Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CWE CWE-22
    Added Reference https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88
    Added Reference https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b
    Added Reference https://github.com/pypa/setuptools/issues/4946
    Added Reference https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
Base CVSS Score: 7.7
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Base CVSS Score: 8.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact