PyPI: setuptools

CVE-2025-47273

Safety vulnerability ID: SFTY-20250517-45169

Safety legacy ID: pyup.io-76752

Affected versions of Setuptools are vulnerable to Path Traversal via PackageIndex.download(). The impact is Arbitrary File Overwrite: An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.

PythonPyPINVDNVDGitHubGHSA
Created at: Mar 24, 2026Updated at: Mar 24, 2026

Overview

setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write

Advisory

Affected versions of Setuptools are vulnerable to Path Traversal via PackageIndex.download(). The impact is Arbitrary File Overwrite: An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.

Affected Package

Affecting setuptools package, versions
<78.1.1

Also affects

---

How to Fix

Upgrade
setuptools
to
78.1.1
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more