CVE-2024-6345 – This vulnerability in setuptools allows remote ... (How to Fix)

Q: What is the severity of CVE-2024-6345?

CVE-2024-6345 has a CVSS score of 8.8 (HIGH). This vulnerability in setuptools allows remote code execution when user-controlled URLs are processed by the package_index module. Attackers can inject malicious commands that execute on the system when setuptools downloads packages. Anyone using setuptools versions up to 69.1.1 with untrusted package sources is affected.

📋 TL;DR

This vulnerability in setuptools allows remote code execution when user-controlled URLs are processed by the package_index module. Attackers can inject malicious commands that execute on the system when setuptools downloads packages. Anyone using setuptools versions up to 69.1.1 with untrusted package sources is affected.

💻 Affected Systems

Products:

pypa/setuptools

Versions: All versions up to 69.1.1

Operating Systems: All operating systems where Python and setuptools run

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configurations when setuptools processes package URLs. The risk depends on whether untrusted URLs reach the vulnerable functions.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Arbitrary command execution in the context of the user running setuptools, allowing file system access, data exfiltration, and installation of backdoors.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, potentially only affecting isolated environments.

🌐 Internet-Facing: HIGH - If setuptools processes URLs from external sources (like public PyPI mirrors or user-provided URLs), it's directly exploitable from the internet.

🏢 Internal Only: MEDIUM - Internal systems could be vulnerable if they process untrusted package URLs from internal sources or compromised internal repositories.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to control the URL processed by setuptools. Public proof-of-concept exists in the huntr.com bounty report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 70.0

Vendor Advisory: https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0

Restart Required: No

Instructions:

1. Upgrade setuptools using pip: 'pip install --upgrade setuptools>=70.0' 2. Verify installation: 'pip show setuptools' should show version 70.0 or higher 3. Update any pinned dependencies in requirements.txt or setup.py

🔧 Temporary Workarounds

Restrict package sources

all

Configure pip/setuptools to only use trusted package repositories and disable processing of arbitrary URLs.

pip config set global.trusted-host pypi.org pypi.python.org files.pythonhosted.org
pip config set global.index-url https://pypi.org/simple/

Sandbox execution

linux

Run setuptools in a restricted environment or container to limit potential damage from exploitation.

docker run --read-only -v /tmp:/tmp:rw python:latest pip install package

🧯 If You Can't Patch

Implement strict input validation to reject suspicious URLs containing shell metacharacters or unusual patterns
Run setuptools with minimal privileges using non-root users and restricted filesystem access

🔍 How to Verify

Check if Vulnerable:

Check setuptools version: 'python -c "import setuptools; print(setuptools.__version__)"' - if version is <=69.1.1, system is vulnerable.

Check Version:

python -c "import setuptools; print(setuptools.__version__)"

Verify Fix Applied:

After upgrade, verify version is >=70.0 using same command. Test with known safe package installation to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution during package installation
Setuptools processes accessing unusual URLs or domains
Error logs showing failed command injection attempts

Network Indicators:

Setuptools connecting to unusual or suspicious domains for package downloads
HTTP requests to non-standard PyPI mirrors with unusual parameters

SIEM Query:

process.name:python AND cmdline:*setuptools* AND (cmdline:*http* OR cmdline:*curl* OR cmdline:*wget*) AND NOT domain:pypi.org AND NOT domain:pythonhosted.org

📊 Metadata

CVE ID: CVE-2024-6345

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: July 15, 2024

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6345, you might also want to check these: