-
Notifications
You must be signed in to change notification settings - Fork 0
Update dependency setuptools to v78 [SECURITY] #22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reviewer's GuideUpgrade setuptools in requirements.txt from ~=70.0.0 to ~=78.1.1 to resolve a path traversal vulnerability (CVE-2025-47273). Sequence Diagram: CVE-2025-47273 Path Traversal Vulnerability in setuptools < 78.1.1sequenceDiagram
autonumber
actor Attacker
participant UserProcess as "User Process (using setuptools)"
participant PackageIndex as "setuptools.PackageIndex._download_url (<78.1.1)"
participant Utils as "Utility functions (e.g. egg_info_for_url)"
participant OSPath as "os.path"
participant Filesystem
Attacker-->>UserProcess: Provides malicious URL (e.g., in package metadata or index)
UserProcess->>+PackageIndex: Calls _download_url(malicious_url, "/intended/tmp/dir")
PackageIndex->>+Utils: egg_info_for_url(malicious_url)
Utils-->>-PackageIndex: Returns 'name' derived from URL (e.g., "../../../../etc/passwd" or "/etc/passwd")
PackageIndex->>PackageIndex: Insufficient sanitization of 'name'
PackageIndex->>+OSPath: join("/intended/tmp/dir", name)
OSPath-->>-PackageIndex: filename (e.g., "/etc/passwd" or "/intended/tmp/dir/../../../../etc/passwd")
Note right of OSPath: If 'name' is absolute, initial path is discarded.
Note right of OSPath: '..' can lead to path traversal.
PackageIndex->>+Filesystem: Writes downloaded content to 'filename'
Filesystem-->>-PackageIndex: File written to unintended arbitrary location
PackageIndex-->>-UserProcess: Operation completes, potentially compromising system
File-Level Changes
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
June 18, 2025 11:49
e1ca4e8 to
7d9964f
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to v78 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to ~=70.3.0 [SECURITY] (追記ここまで)
Jun 18, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
June 18, 2025 16:30
7d9964f to
9ee1d0c
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to ~=70.3.0 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to v78 [SECURITY] (追記ここまで)
Jun 18, 2025
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to v78 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to ~=70.3.0 [SECURITY] (追記ここまで)
Jul 28, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
2 times, most recently
from
July 28, 2025 20:59
66294af to
41c990f
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to ~=70.3.0 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to v78 [SECURITY] (追記ここまで)
Jul 28, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
August 3, 2025 17:54
41c990f to
24bc0ab
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to v78 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to ~=70.3.0 [SECURITY] (追記ここまで)
Aug 3, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
August 3, 2025 21:33
24bc0ab to
4a55c69
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to ~=70.3.0 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to v78 [SECURITY] (追記ここまで)
Aug 3, 2025
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to v78 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to ~=70.3.0 [SECURITY] (追記ここまで)
Aug 10, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
August 10, 2025 14:58
4a55c69 to
55b7676
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to ~=70.3.0 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to v78 [SECURITY] (追記ここまで)
Aug 10, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
August 10, 2025 16:54
55b7676 to
d8ed53c
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to v78 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to ~=70.3.0 [SECURITY] (追記ここまで)
Aug 13, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
2 times, most recently
from
August 13, 2025 21:55
0d608be to
67f961c
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to ~=70.3.0 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to v78 [SECURITY] (追記ここまで)
Aug 13, 2025
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to v78 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to ~=70.3.0 [SECURITY] (追記ここまで)
Aug 19, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
2 times, most recently
from
August 19, 2025 22:40
8252ceb to
1fd83b9
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to ~=70.3.0 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to v78 [SECURITY] (追記ここまで)
Aug 19, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
September 25, 2025 15:00
1fd83b9 to
b3101be
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to v78 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to ~=70.3.0 [SECURITY] (追記ここまで)
Sep 25, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
September 25, 2025 20:12
b3101be to
a7eff52
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to ~=70.3.0 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to v78 [SECURITY] (追記ここまで)
Sep 25, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
October 9, 2025 13:02
a7eff52 to
4125da3
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to v78 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to ~=70.3.0 [SECURITY] (追記ここまで)
Oct 9, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
October 9, 2025 18:53
4125da3 to
9ef7beb
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to ~=70.3.0 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to v78 [SECURITY] (追記ここまで)
Oct 9, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
November 11, 2025 01:59
9ef7beb to
0873764
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to v78 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to ~=70.3.0 [SECURITY] (追記ここまで)
Nov 11, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
November 11, 2025 07:49
0873764 to
cfae305
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to ~=70.3.0 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to v78 [SECURITY] (追記ここまで)
Nov 11, 2025
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to v78 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to ~=70.3.0 [SECURITY] (追記ここまで)
Dec 15, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
2 times, most recently
from
December 15, 2025 18:42
1d2f42e to
c6160f6
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to ~=70.3.0 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to v78 [SECURITY] (追記ここまで)
Dec 15, 2025
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to v78 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to ~=70.3.0 [SECURITY] (追記ここまで)
Dec 30, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
2 times, most recently
from
December 30, 2025 18:13
70791bb to
654df2e
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to ~=70.3.0 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to v78 [SECURITY] (追記ここまで)
Dec 30, 2025
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to v78 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to ~=70.3.0 [SECURITY] (追記ここまで)
Dec 31, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
December 31, 2025 16:05
654df2e to
70cdd0a
Compare
@renovate
renovate
bot
force-pushed
the
renovate/pypi-setuptools-vulnerability
branch
from
December 31, 2025 20:12
70cdd0a to
7dd7f56
Compare
@renovate
renovate
bot
changed the title
(削除) Update dependency setuptools to ~=70.3.0 [SECURITY] (削除ここまで)
(追記) Update dependency setuptools to v78 [SECURITY] (追記ここまで)
Dec 31, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
This PR contains the following updates:
~=70.0.0→~=78.1.1GitHub Vulnerability Alerts
CVE-2025-47273
Summary
A path traversal vulnerability in
PackageIndexwas fixed in setuptools version 78.1.1Details
Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88
os.path.join()discards the first argumenttmpdirif the second begins with a slash or drive letter.nameis derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of '..' with '.', it is insufficient.Risk Assessment
As easy_install and package_index are deprecated, the exploitation surface is reduced.
However, it seems this could be exploited in a similar fashion like GHSA-r9hx-vwmv-q579, and as described by POC 4 in GHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index.
Impact
An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.
References
https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
https://github.com/pypa/setuptools/issues/4946
Release Notes
pypa/setuptools (setuptools)
v78.1.1Compare Source
v78.1.0Compare Source
v78.0.2Compare Source
v78.0.1Compare Source
v77.0.3Compare Source
v77.0.1Compare Source
v76.1.0Compare Source
v76.0.0Compare Source
v75.9.1Compare Source
v75.9.0Compare Source
v75.8.2Compare Source
v75.8.1Compare Source
v75.8.0Compare Source
v75.7.0Compare Source
v75.6.0Compare Source
v75.5.0Compare Source
v75.4.0Compare Source
v75.3.2Compare Source
v75.3.1Compare Source
v75.3.0Compare Source
v75.2.0Compare Source
v75.1.0Compare Source
v75.0.0Compare Source
v74.1.3Compare Source
v74.1.2Compare Source
v74.1.1Compare Source
v74.1.0Compare Source
v74.0.0Compare Source
v73.0.1Compare Source
v73.0.0Compare Source
v72.2.0Compare Source
v72.1.0Compare Source
v72.0.0Compare Source
v71.1.0Compare Source
v71.0.4Compare Source
v71.0.3Compare Source
v71.0.2Compare Source
v71.0.1Compare Source
v71.0.0Compare Source
v70.3.0Compare Source
v70.2.0Compare Source
v70.1.1Compare Source
v70.1.0Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.