setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
Summary A path traversal vulnerability in PackageIndex was fixed in setuptools version 78.1.1 Details def downloadurlself, url, tmpdir: Determine download filename name, fragment = egginfoforurlurl if name: while '..' in name: name = name.replace'..', '.'.replace'\', '' else: name = "downloaded"...