HIGH · CVSS 8.8
CVE-2024-6345 — Python setuptools RCE via package_index
A remote code execution in setuptools's package_index module allowed malicious package URLs to execute arbitrary code during dependency resolution.
Affects
- setuptools < 70.0.0
What an attacker does
A malicious PyPI package containing a crafted setup.py could execute code during `pip install`. Downstream consumers of the package running in CI pipelines got their workers compromised.
How to detect
`pip show setuptools`.
How to fix
Upgrade setuptools to 70.0.0+. In CI, pin setuptools explicitly.
How Securie catches it
Securie's Python supply-chain scanner catches this + audits pyproject.toml.