Update dependency setuptools to v78 [SECURITY]#22
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Reviewer's GuideUpgrade setuptools in requirements.txt from ~=70.0.0 to ~=78.1.1 to resolve a path traversal vulnerability (CVE-2025-47273). Sequence Diagram: CVE-2025-47273 Path Traversal Vulnerability in setuptools < 78.1.1sequenceDiagram
autonumber
actor Attacker
participant UserProcess as "User Process (using setuptools)"
participant PackageIndex as "setuptools.PackageIndex._download_url (<78.1.1)"
participant Utils as "Utility functions (e.g. egg_info_for_url)"
participant OSPath as "os.path"
participant Filesystem
Attacker-->>UserProcess: Provides malicious URL (e.g., in package metadata or index)
UserProcess->>+PackageIndex: Calls _download_url(malicious_url, "/intended/tmp/dir")
PackageIndex->>+Utils: egg_info_for_url(malicious_url)
Utils-->>-PackageIndex: Returns 'name' derived from URL (e.g., "../../../../etc/passwd" or "/etc/passwd")
PackageIndex->>PackageIndex: Insufficient sanitization of 'name'
PackageIndex->>+OSPath: join("/intended/tmp/dir", name)
OSPath-->>-PackageIndex: filename (e.g., "/etc/passwd" or "/intended/tmp/dir/../../../../etc/passwd")
Note right of OSPath: If 'name' is absolute, initial path is discarded.
Note right of OSPath: '..' can lead to path traversal.
PackageIndex->>+Filesystem: Writes downloaded content to 'filename'
Filesystem-->>-PackageIndex: File written to unintended arbitrary location
PackageIndex-->>-UserProcess: Operation completes, potentially compromising system
File-Level Changes
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
June 18, 2025 11:49
e1ca4e8 to
7d9964f
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
June 18, 2025 16:30
7d9964f to
9ee1d0c
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
2 times, most recently
from
July 28, 2025 20:59
66294af to
41c990f
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
August 3, 2025 17:54
41c990f to
24bc0ab
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
August 3, 2025 21:33
24bc0ab to
4a55c69
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
August 10, 2025 14:58
4a55c69 to
55b7676
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
August 10, 2025 16:54
55b7676 to
d8ed53c
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
2 times, most recently
from
August 13, 2025 21:55
0d608be to
67f961c
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
2 times, most recently
from
August 19, 2025 22:40
8252ceb to
1fd83b9
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
September 25, 2025 15:00
1fd83b9 to
b3101be
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
September 25, 2025 20:12
b3101be to
a7eff52
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
2 times, most recently
from
December 30, 2025 18:13
70791bb to
654df2e
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
2 times, most recently
from
December 31, 2025 20:12
70cdd0a to
7dd7f56
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
January 23, 2026 17:49
7dd7f56 to
520436c
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
January 23, 2026 23:03
520436c to
28f1abf
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
2 times, most recently
from
February 2, 2026 22:42
cd67d74 to
a21fc1a
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
February 12, 2026 15:56
a21fc1a to
9d3159b
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
February 12, 2026 19:07
9d3159b to
724458c
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
February 16, 2026 13:45
724458c to
9953007
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
February 16, 2026 17:45
9953007 to
0ea35ad
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
March 5, 2026 13:36
0ea35ad to
c7f68db
Compare
renovate
Bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
March 5, 2026 19:40
c7f68db to
0effc77
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
~=70.0.0→~=78.1.1setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
CVE-2025-47273 / GHSA-5rjg-fvgr-3xxf
More information
Details
Summary
A path traversal vulnerability in
PackageIndexwas fixed in setuptools version 78.1.1Details
Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88
os.path.join()discards the first argumenttmpdirif the second begins with a slash or drive letter.nameis derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of '..' with '.', it is insufficient.Risk Assessment
As easy_install and package_index are deprecated, the exploitation surface is reduced.
However, it seems this could be exploited in a similar fashion like GHSA-r9hx-vwmv-q579, and as described by POC 4 in GHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index.
Impact
An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.
References
https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
https://github.com/pypa/setuptools/issues/4946
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:PReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
pypa/setuptools (setuptools)
v78.1.1Compare Source
v78.1.0Compare Source
v78.0.2Compare Source
v78.0.1Compare Source
v77.0.3Compare Source
v77.0.1Compare Source
v76.1.0Compare Source
v76.0.0Compare Source
v75.9.1Compare Source
v75.9.0Compare Source
v75.8.2Compare Source
v75.8.1Compare Source
v75.8.0Compare Source
v75.7.0Compare Source
v75.6.0Compare Source
v75.5.0Compare Source
v75.4.0Compare Source
v75.3.4Compare Source
v75.3.3Compare Source
v75.3.2Compare Source
v75.3.1Compare Source
v75.3.0Compare Source
v75.2.0Compare Source
v75.1.0Compare Source
v75.0.0Compare Source
v74.1.3Compare Source
v74.1.2Compare Source
v74.1.1Compare Source
v74.1.0Compare Source
v74.0.0Compare Source
v73.0.1Compare Source
v73.0.0Compare Source
v72.2.0Compare Source
v72.1.0Compare Source
v72.0.0Compare Source
v71.1.0Compare Source
v71.0.4Compare Source
v71.0.3Compare Source
v71.0.2Compare Source
v71.0.1Compare Source
v71.0.0Compare Source
v70.3.0Compare Source
v70.2.0Compare Source
v70.1.1Compare Source
v70.1.0Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.