REPRO-2026-00001 HIGH Path Traversal Verified

Setuptools Path Traversal via PackageIndex.download

setuptools (pip) Jan 7, 2026

Open in Codespaces Download Script

Confidence HIGH

Reproduced in 14m 9s

Tool calls 34

Affected setuptools < 78.1.1

Fixed in 78.1.1

What's the vulnerability?

No summary available

Root Cause Analysis

Insufficient sanitization of filename derived from URL allows absolute-path write; os.path.join(tmpdir, name) is bypassed when name starts with '/', \ or a drive letter.

One Command

Verify with pruva-verify

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00001

or pruva-verify GHSA-5rjg-fvgr-3xxf

or pruva-verify CVE-2025-47273

Install: curl -fsSL https://pruva.dev/install.sh | sh

Or Run Manually

Download the script

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00001/artifacts/reproduction_steps.sh

Make executable

chmod +x reproduction_steps.sh

Run the script

./reproduction_steps.sh

Run in a VM, container, or disposable environment. This exploits a real vulnerability.

How Pruva Reproduced This

Watch the AI agent's step-by-step process.

Loading session...

Artifacts

No artifacts available