GHSA-94v7-wxj6-r2q5: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-94v7-wxj6-r2q5) affects the multicast package versions prior to 2.0.9a0. The issue stems from a vulnerable setuptools dependency, where systems with minimal dependencies installed may use setuptools <78.1.1, potentially leading to build process vulnerabilities. This moderate severity vulnerability was published on May 28, 2025 (GitHub Advisory).

The vulnerability is classified as CWE-1395 with a CVSS v4 score of 5.9 (Moderate). The attack vector is Network-based with low complexity, requiring present attack requirements and active user interaction. While no confidentiality or availability impacts are noted, the vulnerability can result in high integrity impacts to the vulnerable system (GitHub Advisory).

The vulnerability can cause source-builds to fail due to exploitation of the related CVE-2025-47273, or result in arbitrary modifications to the build process. The primary impact is on the integrity of the build system, with no direct effects on confidentiality or availability (GitHub Advisory).

The issue has been patched in version 2.0.9a0 and later by upgrading the setuptools requirement to >=80.4. For improved stability, version 2.0.9a3 is recommended. Additional hardening measures have been implemented in version 2.0.9a4+ of the build process, including CI build verification via GitHub attestations (GitHub Advisory).