Skip to main content
Version: latest

CVE-2025-47273

CVE Details

Visit the official vulnerability details page for CVE-2025-47273 to learn more.

Initial Publication

05/20/2025

Last Update

08/05/2025

Third Party Dependency

setuptools

NIST CVE Summary

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.

CVE Severity

8.8

Our Official Summary

This is a high-severity path traversal vulnerability in the Python setuptools package, specifically affecting versions prior to 78.1.1. The vulnerability resides in the PackageIndex._download_url method, where insufficient sanitization of file paths allows attackers to write files to arbitrary locations on the filesystem with the permissions of the executing process. This flaw could potentially lead to remote code execution, depending on the context in which the vulnerable code is executed.

This issue is of low risk as containers where this is reported are not accessible without privileged access. Impact of exploitation is also low since the attack surface is restricted to containers and they do not allow execution of arbitraty code.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.7.16⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact
4.6.41⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted

Revision History

DateRevision
06/30/2025Status changed from Open to Ongoing
06/30/2025Official summary added
06/13/2025Advisory assigned with HIGH severity