CVE-2025-47273
Publication date 17 May 2025
Last updated 30 May 2025
Ubuntu priority
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-pip | 25.04 plucky |
Needs evaluation
|
| 24.10 oracular |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
|
| python-setuptools | 25.04 plucky | Not in release |
| 24.10 oracular | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Fixed 44.1.1-1.2ubuntu0.22.04.1+esm2
|
|
| 20.04 LTS focal |
Fixed 44.0.0-2ubuntu0.1+esm2
|
|
| 18.04 LTS bionic |
Fixed 39.0.1-2ubuntu0.1+esm2
|
|
| 16.04 LTS xenial |
Fixed 20.7.0-1ubuntu0.1~esm3
|
|
| 14.04 LTS trusty |
Fixed 3.3-1ubuntu2+esm3
|
|
| setuptools | 25.04 plucky |
Fixed 75.8.0-1ubuntu1
|
| 24.10 oracular |
Fixed 74.1.2-1ubuntu0.1
|
|
| 24.04 LTS noble |
Fixed 68.1.2-2ubuntu1.2
|
|
| 22.04 LTS jammy |
Fixed 59.6.0-1.2ubuntu0.22.04.3
|
|
| 20.04 LTS focal |
Fixed 45.2.0-1ubuntu0.3
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
mdeslaur
On focal and earlier, the python-pip package bundles python-setuptools binaries when built. After updating python-setuptools, a no-change rebuild of python-pip is required. On jammy and later, python-setuptools is bundled in the python-pip package and needs to be patched.
Patch details
| Package | Patch details |
|---|---|
| python-setuptools |
|
| setuptools |
|
References
Related Ubuntu Security Notices (USN)
- USN-7544-1
- Setuptools vulnerability
- 28 May 2025
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-47273
- https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf
- https://github.com/pypa/setuptools/issues/4946
- https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88
- https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b