{"repro_id":"REPRO-2026-00001","version":3,"title":"Setuptools Path Traversal via PackageIndex.download","repro_type":"security","status":"published","severity":"high","root_cause":"Insufficient sanitization of filename derived from URL allows absolute-path write; os.path.join(tmpdir, name) is bypassed when name starts with '/', \\ or a drive letter.","ghsa_id":"GHSA-5rjg-fvgr-3xxf","cve_id":"CVE-2025-47273","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47273","package":{"name":"setuptools","ecosystem":"pip","affected_versions":"setuptools < 78.1.1","fixed_version":"78.1.1"},"reproduced_at":"2026-01-07T09:16:10.281212+00:00","duration_secs":849.2,"tool_calls":34,"turns":2,"handoffs":1,"quality":{"idempotent_verified":false,"community_verifications":0},"key_moments":[{"agent":"repro","description":"The reproduction agent wrote the reproduction_steps.sh script containing the exploit code.","index":8,"time":849207.0231437683,"title":"PoC Script Written","type":"poc_created"},{"agent":"repro","description":"The agent ran Python commands to prepare and configure the vulnerable environment using the provided wheel file.","index":14,"time":849207.5698375702,"title":"Vulnerable Environment Configured","type":"env_setup"},{"agent":"repro","description":"The reproduction script was executed to trigger the vulnerability.","index":17,"time":849207.9091072083,"title":"Exploit Executed","type":"vuln_triggered"},{"agent":"repro","description":"The agent confirmed that a full, self-contained reproduction of the vulnerability was successfully created and verified.","index":37,"time":849209.1403007507,"title":"Reproduction Verified","type":"confirmation"}],"published_at":"2026-01-07T09:17:50.778947+00:00","retracted":false,"artifacts":[{"path":"repro/rca_report.md","filename":"rca_report.md","size":4467,"category":"analysis"},{"path":"repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":8448,"category":"reproduction_script"},{"path":"reproduction_steps.sh","filename":"reproduction_steps.sh","size":322,"category":"reproduction_script"},{"path":"logs/pip_install.log","filename":"pip_install.log","size":0,"category":"log"},{"path":"logs/poc_patched.jsonl","filename":"poc_patched.jsonl","size":710,"category":"other"},{"path":"logs/poc_patched.log","filename":"poc_patched.log","size":710,"category":"log"},{"path":"logs/poc_vulnerable.jsonl","filename":"poc_vulnerable.jsonl","size":444,"category":"other"},{"path":"logs/poc_vulnerable.log","filename":"poc_vulnerable.log","size":484,"category":"log"},{"path":"logs/result.json","filename":"result.json","size":245,"category":"other"},{"path":"repro/attempts.txt","filename":"attempts.txt","size":332,"category":"other"},{"path":"repro/patch_analysis.md","filename":"patch_analysis.md","size":2587,"category":"documentation"},{"path":"repro/poc.py","filename":"poc.py","size":3405,"category":"script"},{"path":"ticket.md","filename":"ticket.md","size":2705,"category":"ticket"}]}