## https://sploitus.com/exploit?id=6F6FD426-7019-5237-A76E-0350865D110B
# CVE-2025-47273: Path Traversal in setuptools.package_index
## Disclaimer
This Proof of Concept (PoC) is intended for educational purposes and authorized security auditing only. The author assumes no responsibility for misuse of this information. Unauthorized access to computer systems is illegal and unethical.
---
## Vulnerability Analysis
CVE-2025-47273 is a path traversal vulnerability found in the `package_index` module of the `setuptools` library (v78.1.0 and earlier). The vulnerability allows an attacker to perform an arbitrary file write by providing a specially crafted URL to the `PackageIndex.download()` method.
### The Root Cause: os.path.join() Behavior
The flaw stems from a common pitfall in Python's `os.path.join()` function. According to the Python documentation:
> If a component is an absolute path, all previous components are thrown away and joining continues from the absolute path component.
In the vulnerable version of `setuptools`, the destination filename is determined by extracting a name from the URL and joining it with a temporary directory:
```python
# setuptools/package_index.py
filename = os.path.join(tmpdir, name)
```
If an attacker provides a URL where the filename part (after URL decoding) starts with a forward slash `/`, `os.path.join` discards the `tmpdir` prefix and returns the absolute path provided in the URL.
### Vulnerability Flow Diagram
```text
[ Attacker-Controlled URL ]
http://attacker.local/%2fetc%2fpasswd
|
| 1. URL Decoding
v
[ Decoded Filename (name) ]
"/etc/passwd"
|
| 2. Vulnerable Function Call
v
os.path.join("/tmp/download_dir", "/etc/passwd")
|
| 3. Python os.path.join Logic
v
[ Resulting Path (filename) ]
"/etc/passwd" <-- /tmp/download_dir is discarded!
```
---
## Technical Impact
Since the destination path can be manipulated into an absolute path, an attacker can write arbitrary content to any location on the filesystem where the process has write permissions.
### High-Impact Scenarios:
1. **Privilege Escalation:** If the process using `setuptools` runs with elevated privileges (e.g., a system-wide installer), an attacker can overwrite critical system files like `/etc/passwd`, `/etc/sudoers.d/steve`, or `/etc/shadow`.
2. **Persistence / RCE:** Overwriting user-level configuration files such as `~/.bashrc`, `~/.ssh/authorized_keys`, or injecting code into existing Python libraries can lead to persistent Remote Code Execution.
---
## Reproduction
### Environment Setup
The vulnerability is present in `setuptools` version `78.1.0`.
```bash
pip install setuptools==78.1.0
```
### 1. Start the Malicious Server
The `server.py` script acts as a malicious package index. It serves a payload regardless of the requested path.
```bash
python3 server.py
```
### 2. Run the Exploit
The `exploit.py` script demonstrates the bypass by attempting to write a file to `/tmp/cve_2025_47273_demo` instead of the intended temporary directory.
```bash
python3 exploit.py
```
---
## Mitigation
The vulnerability was addressed in `setuptools` version **78.1.1**. The fix involves strictly sanitizing the `name` variable derived from the URL to ensure it does not contain leading slashes or drive letters before it is passed to `os.path.join()`.
To secure your environment:
```bash
pip install --upgrade setuptools
```
---
## References
- [setuptools Issue #4946](https://github.com/pypa/setuptools/issues/4946)
- [NVD - CVE-2025-47273](https://nvd.nist.gov/vuln/detail/CVE-2025-47273)
- [Huntr Bounty Report](https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5)