Astral-Sh Uv vulnerabilities

CVE-2025-13327 [MEDIUM] CWE-1286 CVE-2025-13327: A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during packa A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package.

CVE-2025-62518 [HIGH] CWE-843 uv has differential in tar extraction with PAX headers uv has differential in tar extraction with PAX headers ### Impact In versions 0.9.4 and earlier of uv, tar archives containing PAX headers with file size overrides were not handled properly. As a result, an attacker could contrive a source distribution (as a tar archive) that would extract differently when installed via uv versus other Python package installers. The underlying parsing differential here origin

CVE-2025-54368 [MEDIUM] CWE-20 CVE-2025-54368: uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZI uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and maliciou