CVE-2025-47273: 
Python vulnerability analysis and mitigation

CVE-2025-47273 affects setuptools, a package that allows users to download, build, install, upgrade, and uninstall Python packages. The vulnerability was discovered and disclosed on May 17, 2025, and affects versions prior to 78.1.1. A path traversal vulnerability exists in the PackageIndex component that could allow attackers to write files to arbitrary locations on the filesystem (GitHub Advisory).

The vulnerability exists in the _download_url function within package_index.py. The issue occurs because os.path.join() discards the first argument (tmpdir) if the second begins with a slash or drive letter. While there is an attempt to sanitize the filename by replacing instances of '..' with '.', the sanitization is insufficient. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has received a CVSS 4.0 score of 7.7 HIGH (NVD, GitHub Advisory).

An attacker can exploit this vulnerability to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code. Depending on the context, this could potentially escalate to remote code execution (RCE). While the exploitation surface is reduced due to easyinstall and packageindex being deprecated, the vulnerability could still be exploited through malicious URLs present on package index pages (GitHub Advisory).

The vulnerability has been patched in setuptools version 78.1.1. Users should upgrade to this version or later to receive the fix. The patch adds additional checks to ensure the target filename resolves within the temporary directory (GitHub Commit).