ZIP Archive Vulnerability in uv Python Package by Astral
CVE-2025-54368
What is CVE-2025-54368?
The uv Python package, developed by Astral, has a vulnerability in versions 0.8.5 and earlier related to the handling of remote ZIP archives. Specifically, the package processes file entries in a way that does not reconcile them with the archive's central directory. This design flaw allows an attacker to create a malicious ZIP archive, which can expose differing contents depending on the package installer utilized. Attackers could exploit this by crafting ZIP files with multiple local file entries or 'stacked' ZIP inputs. As a result, the same input can yield legitimate files for some installers while delivering harmful files for others. This issue has been resolved in version 0.8.6, and users are advised to upgrade to this version or set a specific environment variable to revert to previous behavior.