Critical Path Traversal Vulnerability in Python setuptools Enables Arbitrary File Write — CVE-2025-47273

A path traversal vulnerability in setuptools' PackageIndex.download function allows remote attackers to write files to arbitrary locations on a target system. The flaw, tracked as CVE-2025-47273 and assigned GHSA-5rjg-fvgr-3xxf, was addressed in version 78.1.1, prompting an urgent dependency update from the prior v70.0.0 release. The security advisory indicates the vulnerability could enable arbitrary file write attacks during package download and installation operations.

The flaw specifically resides in how setuptools handles package index URLs during the download process. When processing package sources, the library fails to properly sanitize file paths derived from package metadata, permitting path traversal sequences to overwrite files outside the intended installation directory. Any tool, script, or CI/CD pipeline that relies on pip or setuptools to install Python packages becomes a potential attack vector. This includes development environments, automated build systems, and production deployment workflows that pull packages from PyPI or custom indexes.

Security researchers warn that exploiting this vulnerability could allow adversaries to corrupt system binaries, inject malicious code into existing installations, or establish persistent footholds on affected machines. Organizations using setuptools in automated pipelines should verify their dependency management tools are running version 78.1.1 or later. The CVSS scoring and technical exploitation details remain under review, but the nature of arbitrary file write flaws typically grants attackers significant flexibility in crafting payloads. Maintainers are urged to audit direct setuptools usage and ensure dependency update mechanisms like RenovateBot or Dependabot are configured to surface security patches without delay.