[CVE-2025-47273, CVE-2024-6345] in setuptools 67.6.1 bundled with Python 3.12 Runtime #135374
Comments
On Python 3.12+ setuptools is no longer installed by default so there won't be "two versions" unless the user installs setuptools on their own. Also, importantly, the old version of setuptools is inside You're right that on older supported versions of Python (3.9, 3.10, and 3.11) setuptools is bundled as part of While at it, to make it less of an issue for eager security scanners in the future, I upgraded the test/wheeldata setuptools file as well since it should be a harmless operation. There is a number of breaking changes between the previous version and v79.0.1, but they shouldn't affect our limited use case inside the tests. But since there's been a lot of reported compatibility breakage with setuptools 80.x, I opted to stay at 79.0.1. gh-135391 upgrades test/wheeldata setuptools to 79.0.1 on 3.13. Note that we don't have an immediate schedule for releasing new Python versions with the upgraded versions. |
Uh oh!
There was an error while loading. Please reload this page.
Bug report
Bug description:
Python 3.12 runtime includes a vulnerable version of
setuptools(v67.6.1).File location: /lib/python3.12/test/wheeldata/setuptools-67.6.1-py3-none-any.whl
It is present in the final runtime layer, causing vulnerability scanners to flag the image with high-severity CVEs.
While this file is not actively used by a running application, its presence on the filesystem is sufficient for security scanners to detect and report these vulnerabilities.
for other versions also, we're seeing multiple setuptools versions installed along with the latest
v80.9.0v58.1.0v65.5.0v67.6.1We wanted to know if this multiple setuptools installation behaviour is fixed in upcoming Python version upgrades.
CPython versions tested on:
3.12
Operating systems tested on:
Linux
Linked PRs
The text was updated successfully, but these errors were encountered: