Calebbrown

**Name of the Vulnerable Software and Affected Versions** uv versions 0.8.5 and earlier **Description** uv is a Python package and project manager written in Rust. Versions 0.8.5 and earlier handled remote ZIP archives in a streamwise fashion without reconciling file entries against the archive’s central directory. This allowed an attacker to create a ZIP archive that would extract with legitimate contents on some package installers and malicious contents on others, or a "stacked" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. This could be used to target specific installers. **Recommendations** uv versions prior to 0.8.6 should be upgraded. As a workaround, set the environment variable `UV INSECURE NO ZIP VALIDATION` to `1` to revert to the previous behavior.