CVE-2025-13327Improper Validation of Syntactic Correctness of Input in UV

CWE-1286Improper Validation of Syntactic Correctness of Input7 documents6 sources
Severity
6.3MEDIUMNVD
EPSS
0.0%
top 99.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Astral-sh UVAstral UV
Timeline
PublishedFeb 27

Description

A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:HExploitability: 0.3 | Impact: 5.9

Affected Packages4 packages

NVDastral/uv< 0.9.6
CVEListV5astral-sh/uv< 0.9.6
PyPIastral-sh/uv< 0.9.6
crates.ioastral-sh/uv< 0.9.6

Patches

Patch: github.com

🔴Vulnerability Details

4
CVEList
Uv: uv: specially crafted zip archives lead to arbitrary code execution due to parsing differentials2026-02-27
GHSA
uv has ZIP payload obfuscation through parsing differentials2026-02-27
OSV
uv has ZIP payload obfuscation through parsing differentials2026-02-27
OSV
uv allows ZIP payload obfuscation through parsing differentials2025-10-29

📋Vendor Advisories

1
Red Hat
uv: uv: Specially crafted ZIP archives lead to arbitrary code execution due to parsing differentials2025-10-29

🕵️Threat Intelligence

1
Wiz
CVE-2025-13327 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-13327 — Astral-sh UV vulnerability | cvebase