Python Setuptools
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Python Setuptools.
By the Year
In 2026 there have been 0 vulnerabilities in Python Setuptools. Last year, in 2025 Setuptools had 1 security vulnerability published. Right now, Setuptools is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 8.80 |
| 2024 | 1 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 1 | 5.90 |
It may take a day or so for new Setuptools vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Python Setuptools Security Vulnerabilities
setuptools <78.1.1 Path Traversal via PackageIndex allows file write
CVE-2025-47273
8.8 - High
- May 17, 2025
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
Directory traversal
setuptools <=69.1.1 RCE via download URL injection
CVE-2024-6345
- July 15, 2024
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
Code Injection
setuptools <65.5.1 ReDoS in package_index.py
CVE-2022-40897
5.9 - Medium
- December 23, 2022
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
ReDoS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Python Setuptools or by Python? Click the Watch button to subscribe.
