GHSA-94v7-wxj6-r2q5 – multicast

Package

Manager: pip
Name: multicast
Vulnerable Version: >=0 <2.0.9a0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

multicast in source builds from vulnerable setuptools dependency ### Impact * Some source-builds may be impacted by a CWE-1395 (eg. vulnerable `setuptools` dependency). * Multicast prior to v2.0.9a3 on systems with minimal dependancies installed may use `setuptools <78.1.1` and thus rely on a compromised dependency. In some cases there is a chance that source-builds would fail due to an exploit of the closely related CVE-2025-47273, or become arbitrarily modified. ### Patches * Pre-release version v2.0.9a0 and later resolve the issue by bumping requirements to `setuptools>=80.4` * Pre-release version v2.0.9a3 and later are recommended for improved stability over v2.0.9a0 ### Workarounds * Further hardening in v2.0.9a4+ of the build process in CI builds allowing source builds to be verified via GH attestations. ### References * [GHSA-5rjg-fvgr-3xxf](https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf) * pypa/setuptools#4946 ### Fixes * https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/tests/requirements.txt#L32 * https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/docs/requirements.txt#L27 * https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/requirements.txt#L26 * https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/pyproject.toml#L2

Metadata

Created: 2025-05-28T21:07:05Z
Modified: 2025-05-28T21:07:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-94v7-wxj6-r2q5/GHSA-94v7-wxj6-r2q5.json
CWE IDs: ["CWE-1395"]
Alternative ID: N/A
Finding: F079
Auto approve: 1