Description

uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. An attacker could also contrive a "stacked" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target in both scenarios. This issue is fixed in version 0.8.6. To work around this issue, users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.

INFO

Published Date :

2025-08-08T00:00:39.001Z

Last Modified :

2025-08-08T17:32:18.259Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-54368 vulnerability.

Vendors Products
Astral
  • Uv
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-54368.

URL Resource
https://astral.sh/blog/uv-security-advisory-cve-2025-54368 cve-icon cve-icon
https://blog.pypi.org/posts/2025-08-07-wheel-archive-confusion-attacks cve-icon cve-icon
https://github.com/astral-sh/uv/commit/7f1eaf48c193e045ca2c62c4581048765c55505f cve-icon cve-icon
https://github.com/astral-sh/uv/security/advisories/GHSA-8qf3-x8v5-2pj8 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability