HIGH · CVSS 8.8
CVE-2024-6345 — Python setuptools RCE via package_index
A remote code execution in setuptools's package_index module allowed malicious package URLs to execute arbitrary code during dependency resolution.
Affects
- setuptools < 70.0.0
What an attacker does
A malicious PyPI package containing a crafted setup.py could execute code during `pip install`. Downstream consumers of the package running in CI pipelines got their workers compromised.
How to detect
`pip show setuptools`.
How to fix
Upgrade setuptools to 70.0.0+. In CI, pin setuptools explicitly.
Securie findinghigh · CVSS 8.8
CVE-2024-6345How Securie catches CVE-2024-6345
Securie's Python supply-chain specialist catches this + audits pyproject.toml.
Scan my repo for CVE-2024-6345 →Securie reviews every PR · proves real issues · opens verified fix PRs