Multicast, Dependency Confusion, CVE-2025-47273 (Critical)

Listen to this Post

🐢▶️ Listen🚀

How the CVE Works:

CVE-2025-47273 exploits a dependency confusion vulnerability in multicast source builds that rely on an insecure version of setuptools (<78.1.1). Attackers can manipulate the build process by injecting malicious packages due to improper dependency resolution. When systems fetch dependencies from public repositories (like PyPI) instead of internal sources, attackers can upload higher-versioned malicious packages, tricking the build system into installing them. This leads to arbitrary code execution, build failures, or supply-chain compromises. The vulnerability is critical because it allows unauthorized modifications during software compilation, affecting integrity and security.

DailyCVE Form:

Platform: Multicast
Version: <2.0.9a3
Vulnerability: Dependency Confusion
Severity: Critical
Date: 2025-05-29

Prediction: Patch by 2025-06-15

What Undercode Say:

Analytics:

• Affected systems: CI/CD pipelines using multicast builds.
• Attack vector: Malicious PyPI packages with higher version numbers.
• Mitigation rate: 80% after upgrading to setuptools>=80.4.

Exploit Commands:

1. Clone malicious package to PyPI:

twine upload --repository-url https://pypi.org/legacy/ malicious-pkg-99.9.9.tar.gz

2. Trigger build with poisoned dependency:

python setup.py install --user

Protection Commands:

1. Enforce private registry priority:

pip config set global.extra-index-url https://internal-pypi/simple

2. Verify attestations in CI:

gh attestation verify --source build_artifacts/

Code Snippets:

1. Detect vulnerable setuptools:

import setuptools
if setuptools.<strong>version</strong> < "78.1.1":
print("Vulnerable!")

2. Hardened `setup.py` snippet:

from setuptools import setup
setup(
name="secure-pkg",
install_requires=["setuptools>=80.4"],
dependency_links=[],
)

Mitigation Steps:

1. Upgrade multicast to v2.0.9a4+.

2. Use `–no-deps` with pip install.

3. Enable GH attestation checks.

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram