GoogleCloudPlatform
CVE-2025-47273 in Python runtime
Describe the bug
When building an image for a python application using buildpack in cloud build the resulting image gets flagged with CVE-2025-47273 which has severity high.
It is setuptools that has this vulnerability that has been fixed in version 78.1.1 which was released April 19.
Additional context How are you using GCP buildpacks?
- [x]
packand thegcr.io/buildpacks/builder - [ ] Cloud Functions
- [ ] Cloud Run
- [x] Cloud Build
- [ ] App Engine Standard
- [ ] App Engine Flex
- [ ] Firebase App Hosting
Did this used to work? Yes This wasn't an issue until the CVE was discovered.
What language is your project primarily written in? Python
Steps To Reproduce Steps to reproduce the behavior:
...
gcloud builds submit . --pack builder=gcr.io/buildpacks/builder:google-22,image=${TF_VAR_IMAGE_PATH}:${TF_VAR_IMAGE_TAG} --project ${TF_VAR_BUILD_PROJECT_ID}
...
===> DETECTING
[detector] target distro name/version labels not found, reading /etc/os-release file
[detector] google.python.runtime 0.9.1
[detector] google.python.pip 0.9.2
[detector] google.config.entrypoint 0.9.0
[detector] google.utils.label-image 0.0.2
...
[builder] Installing Python v3.13.3.
Expected behavior An image without CVE of high severity for setuptools.
Actual behavior An image with CVE of high severity for setuptools.
If applicable, add screenshots / logs / error messages
