GHSA-94v7-wxj6-r2q5: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-94v7-wxj6-r2q5) affects the multicast package versions prior to 2.0.9a0, published on May 28, 2025. The issue stems from a vulnerable setuptools dependency, where systems with minimal dependencies installed may use setuptools <78.1.1. This moderate severity vulnerability is classified with a CVSS v4 score of 5.9 (GitHub Advisory).

The vulnerability is classified as CWE-1395 with a CVSS v4 score of 5.9 (Moderate). The attack vector is Network-based with low complexity, requiring present attack requirements and active user interaction. The vulnerability metrics indicate no confidentiality or availability impacts, but show high integrity impacts to the vulnerable system. The technical nature of the vulnerability relates to systems using older versions of setuptools (<78.1.1) during the build process (GitHub Advisory).

The vulnerability can cause source-builds to fail due to exploitation of the related CVE-2025-47273, or result in arbitrary modifications to the build process. The primary impact is on the integrity of the build system, with no direct effects on confidentiality or availability (GitHub Advisory).

The issue has been patched in version 2.0.9a0 and later by upgrading the setuptools requirement to >=80.4. For improved stability, version 2.0.9a3 is recommended. Additional hardening measures have been implemented in version 2.0.9a4+ of the build process, including CI build verification via GitHub attestations (GitHub Advisory).