CVE-2025-47273 in Python runtime

[supersmo]

Describe the bug
When building an image for a python application using buildpack in cloud build the resulting image gets flagged with CVE-2025-47273 which has severity high.
It is setuptools that has this vulnerability that has been fixed in version 78.1.1 which was released April 19.

Additional context
How are you using GCP buildpacks?

• pack and the gcr.io/buildpacks/builder
• Cloud Functions
• Cloud Run
• Cloud Build
• App Engine Standard
• App Engine Flex
• Firebase App Hosting

Did this used to work?
Yes
This wasn't an issue until the CVE was discovered.

What language is your project primarily written in?
Python

Steps To Reproduce
Steps to reproduce the behavior:

...
gcloud builds submit . --pack builder=gcr.io/buildpacks/builder:google-22,image=${TF_VAR_IMAGE_PATH}:${TF_VAR_IMAGE_TAG} --project ${TF_VAR_BUILD_PROJECT_ID}
...
===> DETECTING
[detector] target distro name/version labels not found, reading /etc/os-release file
[detector] google.python.runtime    0.9.1
[detector] google.python.pip        0.9.2
[detector] google.config.entrypoint 0.9.0
[detector] google.utils.label-image 0.0.2
...
[builder] Installing Python v3.13.3.

Expected behavior
An image without CVE of high severity for setuptools.

Actual behavior
An image with CVE of high severity for setuptools.

If applicable, add screenshots / logs / error messages

[Nishi-1412]

• Python 3.13: the CVE was removed with a new patch release v3.13.5
• Python 3.12: We removed the setuptools version which was causing the CVE
• Python 3.9-11: The fix will come from Python community via a new patch release.

Please refer: python/cpython#135374