CVE-2025-54368Improper Input Validation in UV

CWE-20Improper Input ValidationCWE-436Interpretation Conflict4 documents4 sources
Severity
6.8MEDIUMNVD
EPSS
0.0%
top 97.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Astral-sh UV
Timeline
PublishedAug 8

Description

uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. An attacker could also contrive a "stacked" ZIP input with multiple internal ZIPs, which wo

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5astral-sh/uv< 0.8.6
PyPIastral-sh/uv< 0.8.6

🔴Vulnerability Details

3
CVEList
uv is vulnerable to ZIP payload obfuscation through parsing differentials2025-08-08
OSV
uv allows ZIP payload obfuscation through parsing differentials2025-08-07
GHSA
uv allows ZIP payload obfuscation through parsing differentials2025-08-07
CVE-2025-54368 — Improper Input Validation in UV | cvebase