setuptools is vulnerable to Information Disclosure
61
Medium Risk
When building a source distribution, setuptools' FileList applies MANIFEST.in directives such as exclude, global-exclude, recursive-exclude, and prune by matching a compiled glob against on-disk file names byte-for-byte with no Unicode normalization. On normalization-preserving filesystems like macOS APFS and HFS+, a file stored in NFD and a pattern authored in NFC refer to the same file but are byte-distinct, so the exclusion silently fails to match. A non-ASCII file the maintainer intended to exclude is then packed into the sdist and can be published to the public PyPI index despite the rule. The fix normalizes both the walked paths and the MANIFEST.in patterns to a canonical Unicode form before matching so exclusions apply consistently.
You are affected if you are using a version that falls within the vulnerable range and you build source distributions on a normalization-preserving filesystem such as macOS APFS/HFS+ using MANIFEST.in exclusion rules that target non-ASCII file names.
setuptools is vulnerable to Information Disclosure in versions 0.0.1 - 82.0.1.
Upgrade the setuptools library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant