CVE-2022-40897: setuptools ReDoS
CVE-2022-40897 (setuptools ReDoS) is a regular expression denial of service (redos) vulnerability in setuptools (PyPI). As of 2026-06-18 it carries a 2.6% probability of exploitation in the next 30 days (EPSS). It is fixed in 65.5.1 — if you depend on an earlier version, upgrade.
| Severity | High |
|---|---|
| CVSS vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
| EPSS (exploit probability, 30d) | 2.6% · 83th percentile |
| Vulnerability type | Regular Expression Denial of Service (ReDoS) |
| Affected package | setuptools (PyPI) |
| Fixed in | 65.5.1 |
What is CVE-2022-40897?
setuptools before 65.5.1 is vulnerable to ReDoS in package_index when processing a crafted HTML index page, which can hang tooling that fetches packages from an untrusted index.
Is CVE-2022-40897 exploitable?
CVE-2022-40897 has an EPSS score of 2.6% (83th percentile), meaning a 2.6% probability of exploitation in the next 30 days. Its CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H, which scores as High severity. It is a regular expression denial of service (redos) issue.
What is the EPSS score for CVE-2022-40897?
As of 2026-06-18, the EPSS exploit-prediction score for CVE-2022-40897 is 2.6% (83th percentile). EPSS estimates the probability that a vulnerability will be exploited in the wild within the next 30 days and is recomputed daily by FIRST.org.
How do I fix CVE-2022-40897?
Upgrade setuptools to 65.5.1 or later. setuptools before 65.5.1 is vulnerable to ReDoS in package_index when processing a crafted HTML index page, which can hang tooling that fetches packages from an untrusted index.
Am I affected by CVE-2022-40897?
You are affected if your project (directly or transitively) depends on a vulnerable version of setuptools in the PyPI ecosystem. Check your lockfile for the resolved version, or scan automatically with VulnFeed.
Check your own project automatically
Don't eyeball every dependency by hand. VulnFeed reads your lockfile, checks it against the same advisory data, and ranks findings by EPSS — free, no signup (10 scans/day):
curl -s https://vulnfeed-api.novadyne.ai/vulnscan/query \
-H 'content-type: application/json' \
-d '{"ecosystem":"npm","package":"PKG","version":"VERSION"}'
Or run it inside Claude Code with no API key — uvx vulnfeed-mcp — and just ask "scan this project for vulnerabilities."
Data sources: vulnerability metadata from OSV.dev and the National Vulnerability Database; exploit-probability (EPSS) from FIRST.org (recomputed daily; EPSS data shown here as of 2026-06-18). Page generated 2026-06-18.