CVE-2025-47273
CVE Details
Visit the official vulnerability details page for CVE-2025-47273 to learn more.
Initial Publication
05/20/2025
Last Update
09/02/2025
Third Party Dependency
setuptools
NIST CVE Summary
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
CVE Severity
Our Official Summary
This is a high-severity path traversal vulnerability in the Python setuptools package, specifically affecting versions prior to 78.1.1. The vulnerability resides in the PackageIndex._download_url method, where insufficient sanitization of file paths allows attackers to write files to arbitrary locations on the filesystem with the permissions of the executing process. This flaw could potentially lead to remote code execution, depending on the context in which the vulnerable code is executed.
This issue is of low risk as containers where this is reported are not accessible without privileged access. Impact of exploitation is also low since the attack surface is restricted to containers and they do not allow execution of arbitraty code.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.16 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.6.41 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 06/30/2025 | Status changed from Open to Ongoing |
| 06/30/2025 | Official summary added |
| 06/13/2025 | Advisory assigned with HIGH severity |