What is CVE-2025-47273?

CVE-2025-47273 is a vulnerability in Pypa Setuptools, classified under Path Traversal. Published 2025-05-17.

Is CVE-2025-47273 known to be exploited?

18 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Pypa Setuptools

CVE-2025-47273

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (30.5th percentile) — read the EPSS interpretation.

Affected products

Pypa Setuptools — versions < 78.1.1

Weakness classification (CWE)

CWE-22 — Path Traversal

Public proof-of-concept exploits

References

https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf (x_refsource_CONFIRM)
https://github.com/pypa/setuptools/issues/4946 (x_refsource_MISC)
https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b (x_refsource_MISC)
https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-47273?: CVE-2025-47273 is a vulnerability in Pypa Setuptools, classified under Path Traversal. Published 2025-05-17.
Is CVE-2025-47273 known to be exploited?: 18 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.