cvelistv5 - cve-2025-54368

CVE-2025-54368 (GCVE-0-2025-54368)

Vulnerability from cvelistv5

Published

2025-08-08 00:00

Modified

2025-08-08 17:32

Severity ?

6.8 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CWE

CWE-436 - Interpretation Conflict
CWE-20 - Improper Input Validation

Summary

uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. An attacker could also contrive a "stacked" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target in both scenarios. This issue is fixed in version 0.8.6. To work around this issue, users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.

References

►

URL

	Vendor	Product	Version
	astral-sh	uv	Version: < 0.8.6

opensuse-su-2025:15429-1

Vulnerability from csaf_opensuse

Published

2025-08-09 00:00

Modified

2025-08-09 00:00

Summary

python311-uv-0.8.8-1.1 on GA media

Notes

Title of the patch

python311-uv-0.8.8-1.1 on GA media

Description of the patch

These are all security issues fixed in the python311-uv-0.8.8-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15429

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python311-uv-0.8.8-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python311-uv-0.8.8-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15429",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15429-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-54368 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-54368/"
      }
    ],
    "title": "python311-uv-0.8.8-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-08-09T00:00:00Z",
      "generator": {
        "date": "2025-08-09T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15429-1",
      "initial_release_date": "2025-08-09T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-08-09T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-uv-0.8.8-1.1.aarch64",
                "product": {
                  "name": "python311-uv-0.8.8-1.1.aarch64",
                  "product_id": "python311-uv-0.8.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-uv-bash-completion-0.8.8-1.1.aarch64",
                "product": {
                  "name": "python311-uv-bash-completion-0.8.8-1.1.aarch64",
                  "product_id": "python311-uv-bash-completion-0.8.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-uv-fish-completion-0.8.8-1.1.aarch64",
                "product": {
                  "name": "python311-uv-fish-completion-0.8.8-1.1.aarch64",
                  "product_id": "python311-uv-fish-completion-0.8.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-uv-zsh-completion-0.8.8-1.1.aarch64",
                "product": {
                  "name": "python311-uv-zsh-completion-0.8.8-1.1.aarch64",
                  "product_id": "python311-uv-zsh-completion-0.8.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-0.8.8-1.1.aarch64",
                "product": {
                  "name": "python312-uv-0.8.8-1.1.aarch64",
                  "product_id": "python312-uv-0.8.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-bash-completion-0.8.8-1.1.aarch64",
                "product": {
                  "name": "python312-uv-bash-completion-0.8.8-1.1.aarch64",
                  "product_id": "python312-uv-bash-completion-0.8.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-fish-completion-0.8.8-1.1.aarch64",
                "product": {
                  "name": "python312-uv-fish-completion-0.8.8-1.1.aarch64",
                  "product_id": "python312-uv-fish-completion-0.8.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-zsh-completion-0.8.8-1.1.aarch64",
                "product": {
                  "name": "python312-uv-zsh-completion-0.8.8-1.1.aarch64",
                  "product_id": "python312-uv-zsh-completion-0.8.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-0.8.8-1.1.aarch64",
                "product": {
                  "name": "python313-uv-0.8.8-1.1.aarch64",
                  "product_id": "python313-uv-0.8.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-bash-completion-0.8.8-1.1.aarch64",
                "product": {
                  "name": "python313-uv-bash-completion-0.8.8-1.1.aarch64",
                  "product_id": "python313-uv-bash-completion-0.8.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-fish-completion-0.8.8-1.1.aarch64",
                "product": {
                  "name": "python313-uv-fish-completion-0.8.8-1.1.aarch64",
                  "product_id": "python313-uv-fish-completion-0.8.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-zsh-completion-0.8.8-1.1.aarch64",
                "product": {
                  "name": "python313-uv-zsh-completion-0.8.8-1.1.aarch64",
                  "product_id": "python313-uv-zsh-completion-0.8.8-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-uv-0.8.8-1.1.ppc64le",
                "product": {
                  "name": "python311-uv-0.8.8-1.1.ppc64le",
                  "product_id": "python311-uv-0.8.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python311-uv-bash-completion-0.8.8-1.1.ppc64le",
                "product": {
                  "name": "python311-uv-bash-completion-0.8.8-1.1.ppc64le",
                  "product_id": "python311-uv-bash-completion-0.8.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python311-uv-fish-completion-0.8.8-1.1.ppc64le",
                "product": {
                  "name": "python311-uv-fish-completion-0.8.8-1.1.ppc64le",
                  "product_id": "python311-uv-fish-completion-0.8.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python311-uv-zsh-completion-0.8.8-1.1.ppc64le",
                "product": {
                  "name": "python311-uv-zsh-completion-0.8.8-1.1.ppc64le",
                  "product_id": "python311-uv-zsh-completion-0.8.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-0.8.8-1.1.ppc64le",
                "product": {
                  "name": "python312-uv-0.8.8-1.1.ppc64le",
                  "product_id": "python312-uv-0.8.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-bash-completion-0.8.8-1.1.ppc64le",
                "product": {
                  "name": "python312-uv-bash-completion-0.8.8-1.1.ppc64le",
                  "product_id": "python312-uv-bash-completion-0.8.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-fish-completion-0.8.8-1.1.ppc64le",
                "product": {
                  "name": "python312-uv-fish-completion-0.8.8-1.1.ppc64le",
                  "product_id": "python312-uv-fish-completion-0.8.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-zsh-completion-0.8.8-1.1.ppc64le",
                "product": {
                  "name": "python312-uv-zsh-completion-0.8.8-1.1.ppc64le",
                  "product_id": "python312-uv-zsh-completion-0.8.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-0.8.8-1.1.ppc64le",
                "product": {
                  "name": "python313-uv-0.8.8-1.1.ppc64le",
                  "product_id": "python313-uv-0.8.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-bash-completion-0.8.8-1.1.ppc64le",
                "product": {
                  "name": "python313-uv-bash-completion-0.8.8-1.1.ppc64le",
                  "product_id": "python313-uv-bash-completion-0.8.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-fish-completion-0.8.8-1.1.ppc64le",
                "product": {
                  "name": "python313-uv-fish-completion-0.8.8-1.1.ppc64le",
                  "product_id": "python313-uv-fish-completion-0.8.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-zsh-completion-0.8.8-1.1.ppc64le",
                "product": {
                  "name": "python313-uv-zsh-completion-0.8.8-1.1.ppc64le",
                  "product_id": "python313-uv-zsh-completion-0.8.8-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-uv-0.8.8-1.1.s390x",
                "product": {
                  "name": "python311-uv-0.8.8-1.1.s390x",
                  "product_id": "python311-uv-0.8.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python311-uv-bash-completion-0.8.8-1.1.s390x",
                "product": {
                  "name": "python311-uv-bash-completion-0.8.8-1.1.s390x",
                  "product_id": "python311-uv-bash-completion-0.8.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python311-uv-fish-completion-0.8.8-1.1.s390x",
                "product": {
                  "name": "python311-uv-fish-completion-0.8.8-1.1.s390x",
                  "product_id": "python311-uv-fish-completion-0.8.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python311-uv-zsh-completion-0.8.8-1.1.s390x",
                "product": {
                  "name": "python311-uv-zsh-completion-0.8.8-1.1.s390x",
                  "product_id": "python311-uv-zsh-completion-0.8.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-0.8.8-1.1.s390x",
                "product": {
                  "name": "python312-uv-0.8.8-1.1.s390x",
                  "product_id": "python312-uv-0.8.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-bash-completion-0.8.8-1.1.s390x",
                "product": {
                  "name": "python312-uv-bash-completion-0.8.8-1.1.s390x",
                  "product_id": "python312-uv-bash-completion-0.8.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-fish-completion-0.8.8-1.1.s390x",
                "product": {
                  "name": "python312-uv-fish-completion-0.8.8-1.1.s390x",
                  "product_id": "python312-uv-fish-completion-0.8.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-zsh-completion-0.8.8-1.1.s390x",
                "product": {
                  "name": "python312-uv-zsh-completion-0.8.8-1.1.s390x",
                  "product_id": "python312-uv-zsh-completion-0.8.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-0.8.8-1.1.s390x",
                "product": {
                  "name": "python313-uv-0.8.8-1.1.s390x",
                  "product_id": "python313-uv-0.8.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-bash-completion-0.8.8-1.1.s390x",
                "product": {
                  "name": "python313-uv-bash-completion-0.8.8-1.1.s390x",
                  "product_id": "python313-uv-bash-completion-0.8.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-fish-completion-0.8.8-1.1.s390x",
                "product": {
                  "name": "python313-uv-fish-completion-0.8.8-1.1.s390x",
                  "product_id": "python313-uv-fish-completion-0.8.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-zsh-completion-0.8.8-1.1.s390x",
                "product": {
                  "name": "python313-uv-zsh-completion-0.8.8-1.1.s390x",
                  "product_id": "python313-uv-zsh-completion-0.8.8-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-uv-0.8.8-1.1.x86_64",
                "product": {
                  "name": "python311-uv-0.8.8-1.1.x86_64",
                  "product_id": "python311-uv-0.8.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-uv-bash-completion-0.8.8-1.1.x86_64",
                "product": {
                  "name": "python311-uv-bash-completion-0.8.8-1.1.x86_64",
                  "product_id": "python311-uv-bash-completion-0.8.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-uv-fish-completion-0.8.8-1.1.x86_64",
                "product": {
                  "name": "python311-uv-fish-completion-0.8.8-1.1.x86_64",
                  "product_id": "python311-uv-fish-completion-0.8.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-uv-zsh-completion-0.8.8-1.1.x86_64",
                "product": {
                  "name": "python311-uv-zsh-completion-0.8.8-1.1.x86_64",
                  "product_id": "python311-uv-zsh-completion-0.8.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-0.8.8-1.1.x86_64",
                "product": {
                  "name": "python312-uv-0.8.8-1.1.x86_64",
                  "product_id": "python312-uv-0.8.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-bash-completion-0.8.8-1.1.x86_64",
                "product": {
                  "name": "python312-uv-bash-completion-0.8.8-1.1.x86_64",
                  "product_id": "python312-uv-bash-completion-0.8.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-fish-completion-0.8.8-1.1.x86_64",
                "product": {
                  "name": "python312-uv-fish-completion-0.8.8-1.1.x86_64",
                  "product_id": "python312-uv-fish-completion-0.8.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-uv-zsh-completion-0.8.8-1.1.x86_64",
                "product": {
                  "name": "python312-uv-zsh-completion-0.8.8-1.1.x86_64",
                  "product_id": "python312-uv-zsh-completion-0.8.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-0.8.8-1.1.x86_64",
                "product": {
                  "name": "python313-uv-0.8.8-1.1.x86_64",
                  "product_id": "python313-uv-0.8.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-bash-completion-0.8.8-1.1.x86_64",
                "product": {
                  "name": "python313-uv-bash-completion-0.8.8-1.1.x86_64",
                  "product_id": "python313-uv-bash-completion-0.8.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-fish-completion-0.8.8-1.1.x86_64",
                "product": {
                  "name": "python313-uv-fish-completion-0.8.8-1.1.x86_64",
                  "product_id": "python313-uv-fish-completion-0.8.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-uv-zsh-completion-0.8.8-1.1.x86_64",
                "product": {
                  "name": "python313-uv-zsh-completion-0.8.8-1.1.x86_64",
                  "product_id": "python313-uv-zsh-completion-0.8.8-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-0.8.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.aarch64"
        },
        "product_reference": "python311-uv-0.8.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-0.8.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.ppc64le"
        },
        "product_reference": "python311-uv-0.8.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-0.8.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.s390x"
        },
        "product_reference": "python311-uv-0.8.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-0.8.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.x86_64"
        },
        "product_reference": "python311-uv-0.8.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-bash-completion-0.8.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.aarch64"
        },
        "product_reference": "python311-uv-bash-completion-0.8.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-bash-completion-0.8.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.ppc64le"
        },
        "product_reference": "python311-uv-bash-completion-0.8.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-bash-completion-0.8.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.s390x"
        },
        "product_reference": "python311-uv-bash-completion-0.8.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-bash-completion-0.8.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.x86_64"
        },
        "product_reference": "python311-uv-bash-completion-0.8.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-fish-completion-0.8.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.aarch64"
        },
        "product_reference": "python311-uv-fish-completion-0.8.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-fish-completion-0.8.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.ppc64le"
        },
        "product_reference": "python311-uv-fish-completion-0.8.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-fish-completion-0.8.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.s390x"
        },
        "product_reference": "python311-uv-fish-completion-0.8.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-fish-completion-0.8.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.x86_64"
        },
        "product_reference": "python311-uv-fish-completion-0.8.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-zsh-completion-0.8.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.aarch64"
        },
        "product_reference": "python311-uv-zsh-completion-0.8.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-zsh-completion-0.8.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.ppc64le"
        },
        "product_reference": "python311-uv-zsh-completion-0.8.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-zsh-completion-0.8.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.s390x"
        },
        "product_reference": "python311-uv-zsh-completion-0.8.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-uv-zsh-completion-0.8.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.x86_64"
        },
        "product_reference": "python311-uv-zsh-completion-0.8.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-0.8.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.aarch64"
        },
        "product_reference": "python312-uv-0.8.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-0.8.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.ppc64le"
        },
        "product_reference": "python312-uv-0.8.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-0.8.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.s390x"
        },
        "product_reference": "python312-uv-0.8.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-0.8.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.x86_64"
        },
        "product_reference": "python312-uv-0.8.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-bash-completion-0.8.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.aarch64"
        },
        "product_reference": "python312-uv-bash-completion-0.8.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-bash-completion-0.8.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.ppc64le"
        },
        "product_reference": "python312-uv-bash-completion-0.8.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-bash-completion-0.8.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.s390x"
        },
        "product_reference": "python312-uv-bash-completion-0.8.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-bash-completion-0.8.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.x86_64"
        },
        "product_reference": "python312-uv-bash-completion-0.8.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-fish-completion-0.8.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.aarch64"
        },
        "product_reference": "python312-uv-fish-completion-0.8.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-fish-completion-0.8.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.ppc64le"
        },
        "product_reference": "python312-uv-fish-completion-0.8.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-fish-completion-0.8.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.s390x"
        },
        "product_reference": "python312-uv-fish-completion-0.8.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-fish-completion-0.8.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.x86_64"
        },
        "product_reference": "python312-uv-fish-completion-0.8.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-zsh-completion-0.8.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.aarch64"
        },
        "product_reference": "python312-uv-zsh-completion-0.8.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-zsh-completion-0.8.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.ppc64le"
        },
        "product_reference": "python312-uv-zsh-completion-0.8.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-zsh-completion-0.8.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.s390x"
        },
        "product_reference": "python312-uv-zsh-completion-0.8.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-uv-zsh-completion-0.8.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.x86_64"
        },
        "product_reference": "python312-uv-zsh-completion-0.8.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-0.8.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.aarch64"
        },
        "product_reference": "python313-uv-0.8.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-0.8.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.ppc64le"
        },
        "product_reference": "python313-uv-0.8.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-0.8.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.s390x"
        },
        "product_reference": "python313-uv-0.8.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-0.8.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.x86_64"
        },
        "product_reference": "python313-uv-0.8.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-bash-completion-0.8.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.aarch64"
        },
        "product_reference": "python313-uv-bash-completion-0.8.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-bash-completion-0.8.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.ppc64le"
        },
        "product_reference": "python313-uv-bash-completion-0.8.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-bash-completion-0.8.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.s390x"
        },
        "product_reference": "python313-uv-bash-completion-0.8.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-bash-completion-0.8.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.x86_64"
        },
        "product_reference": "python313-uv-bash-completion-0.8.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-fish-completion-0.8.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.aarch64"
        },
        "product_reference": "python313-uv-fish-completion-0.8.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-fish-completion-0.8.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.ppc64le"
        },
        "product_reference": "python313-uv-fish-completion-0.8.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-fish-completion-0.8.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.s390x"
        },
        "product_reference": "python313-uv-fish-completion-0.8.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-fish-completion-0.8.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.x86_64"
        },
        "product_reference": "python313-uv-fish-completion-0.8.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-zsh-completion-0.8.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.aarch64"
        },
        "product_reference": "python313-uv-zsh-completion-0.8.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-zsh-completion-0.8.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.ppc64le"
        },
        "product_reference": "python313-uv-zsh-completion-0.8.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-zsh-completion-0.8.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.s390x"
        },
        "product_reference": "python313-uv-zsh-completion-0.8.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-uv-zsh-completion-0.8.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.x86_64"
        },
        "product_reference": "python313-uv-zsh-completion-0.8.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-54368",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-54368"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive\u0027s central directory. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. An attacker could  also contrive a \"stacked\" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target in both scenarios. This issue is fixed in version 0.8.6. To work around this issue, users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.aarch64",
          "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.s390x",
          "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.x86_64",
          "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.aarch64",
          "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.s390x",
          "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.x86_64",
          "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.aarch64",
          "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.s390x",
          "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.x86_64",
          "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.aarch64",
          "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.s390x",
          "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.x86_64",
          "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.aarch64",
          "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.s390x",
          "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.x86_64",
          "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.aarch64",
          "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.s390x",
          "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.x86_64",
          "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.aarch64",
          "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.s390x",
          "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.x86_64",
          "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.aarch64",
          "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.s390x",
          "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.x86_64",
          "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.aarch64",
          "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.s390x",
          "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.x86_64",
          "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.aarch64",
          "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.s390x",
          "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.x86_64",
          "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.aarch64",
          "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.s390x",
          "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.x86_64",
          "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.aarch64",
          "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.s390x",
          "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-54368",
          "url": "https://www.suse.com/security/cve/CVE-2025-54368"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247829 for CVE-2025-54368",
          "url": "https://bugzilla.suse.com/1247829"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python311-uv-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python311-uv-bash-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python311-uv-fish-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python311-uv-zsh-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python312-uv-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python312-uv-bash-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python312-uv-fish-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python312-uv-zsh-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python313-uv-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python313-uv-bash-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python313-uv-fish-completion-0.8.8-1.1.x86_64",
            "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.aarch64",
            "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.s390x",
            "openSUSE Tumbleweed:python313-uv-zsh-completion-0.8.8-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-09T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-54368"
    }
  ]
}

ghsa-8qf3-x8v5-2pj8

Vulnerability from github

Published

2025-08-07 20:52

Modified

2025-08-08 14:54

Severity ?

6.8 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

uv allows ZIP payload obfuscation through parsing differentials

Details

Impact

In versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. This enabled two parser differentials against other Python package installers:

An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. The attacker could choose which installer to target.
An attacker could contrive a "stacked" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target.

In both cases, the outcome is that an attacker can produce a ZIP with a consistent digest that expands differently with different installers.

The ZIP standard is ambiguous with respect to these behavior differentials. Consequently, these same differentials may be accepted ZIP parsers other than those used in uv. This advisory is for uv in particular, but all consumers of ZIP-based Python package distributions, e.g., pip, are potentially susceptible to similar parser differentials in other ZIP parsers.

The practical impact of these differentials is limited by a number of factors:

To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run uv install $package with an attacker-controlled $package.
When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g., python -c "import $package".
If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.
The practical impact of these differentials is limited by a coordinated fix to Warehouse, PyPI's backend: Warehouse now rejects ZIPs exhibiting these differentials, limiting the ability of an attacker to distribute malicious ZIP distributions via PyPI. As part of that coordinated fix, a review of Warehouse revealed no evidence of exploitation.

Patches

Versions 0.8.6 and newer of uv address both of the parser differentials above, by refusing to process ZIPs with duplicated local file entries or stacked contents.

Workarounds

Users are advised to upgrade to 0.8.6 or newer to address this advisory.

Most users should experience no breaking changes as a result of the patch above. However, users who do experience breakage should carefully review their distributions for signs of malicious intent. Users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.

Attribution

This vulnerability was discovered separately by two different individuals: Caleb Brown (Google) and Tim Hatch (Netflix).

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.5"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "uv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-07T20:52:44Z",
    "nvd_published_at": "2025-08-08T00:15:26Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nIn versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive\u0027s central directory. This enabled two parser differentials against other Python package installers:\n\n1. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. The attacker could choose which installer to target.\n2. An attacker could contrive a \"stacked\" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target.\n\nIn both cases, the outcome is that an attacker can produce a ZIP with a consistent digest that expands differently with different installers.\n\nThe [ZIP standard](https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT) is ambiguous with respect to these behavior differentials. Consequently, these same differentials may be accepted ZIP parsers other than those used in uv. This advisory is for uv in particular, but all consumers of ZIP-based Python package distributions, e.g., pip, are potentially susceptible to similar parser differentials in other ZIP parsers.\n\nThe practical impact of these differentials is limited by a number of factors:\n\n- To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run `uv install $package` with an attacker-controlled `$package`.\n- When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g., `python -c \"import $package\"`.\n- If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.\n- The practical impact of these differentials is limited by a coordinated fix to [Warehouse](https://github.com/pypi/warehouse), PyPI\u0027s backend: Warehouse now rejects ZIPs exhibiting these differentials, limiting the ability of an attacker to distribute malicious ZIP distributions via PyPI. As part of that coordinated fix, a review of Warehouse revealed no evidence of exploitation.\n\n## Patches\n\nVersions 0.8.6 and newer of uv address both of the parser differentials above, by refusing to process ZIPs with duplicated local file entries or stacked contents.\n\n## Workarounds\n\nUsers are advised to upgrade to 0.8.6 or newer to address this advisory.\n\nMost users should experience no breaking changes as a result of the patch above. However, users who do experience breakage should carefully review their distributions for signs of malicious intent. Users may choose to set `UV_INSECURE_NO_ZIP_VALIDATION=1` to revert to the previous behavior.\n\n## Attribution\n\nThis vulnerability was discovered separately by two different individuals: Caleb Brown (Google) and Tim Hatch (Netflix).",
  "id": "GHSA-8qf3-x8v5-2pj8",
  "modified": "2025-08-08T14:54:11Z",
  "published": "2025-08-07T20:52:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/astral-sh/uv/security/advisories/GHSA-8qf3-x8v5-2pj8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54368"
    },
    {
      "type": "WEB",
      "url": "https://github.com/astral-sh/uv/commit/7f1eaf48c193e045ca2c62c4581048765c55505f"
    },
    {
      "type": "WEB",
      "url": "https://astral.sh/blog/uv-security-advisory-cve-2025-54368"
    },
    {
      "type": "WEB",
      "url": "https://blog.pypi.org/posts/2025-08-07-wheel-archive-confusion-attacks"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/astral-sh/uv"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "uv allows ZIP payload obfuscation through parsing differentials"
}

fkie_cve-2025-54368

Vulnerability from fkie_nvd

Published

2025-08-08 00:15

Modified

2025-08-08 20:30

Severity ?

6.8 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

References

▶	URL	Tags
	security-advisories@github.com	https://astral.sh/blog/uv-security-advisory-cve-2025-54368
	security-advisories@github.com	https://blog.pypi.org/posts/2025-08-07-wheel-archive-confusion-attacks
	security-advisories@github.com	https://github.com/astral-sh/uv/commit/7f1eaf48c193e045ca2c62c4581048765c55505f
	security-advisories@github.com	https://github.com/astral-sh/uv/security/advisories/GHSA-8qf3-x8v5-2pj8

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive\u0027s central directory. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. An attacker could  also contrive a \"stacked\" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target in both scenarios. This issue is fixed in version 0.8.6. To work around this issue, users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior."
    },
    {
      "lang": "es",
      "value": "uv es un gestor de paquetes y proyectos de Python escrito en Rust. En las versiones 0.8.5 y anteriores, los archivos ZIP remotos se gestionaban de forma secuencial y las entradas de archivo no se conciliaban con el directorio central del archivo. Un atacante podr\u00eda crear un archivo ZIP que extrajera contenido leg\u00edtimo en algunos instaladores de paquetes y contenido malicioso en otros, debido a m\u00faltiples entradas de archivo locales. Un atacante tambi\u00e9n podr\u00eda crear una entrada ZIP \"apilada\" con m\u00faltiples ZIP internos, que se gestionar\u00edan de forma diferente seg\u00fan el instalador. El atacante podr\u00eda elegir el instalador objetivo en ambos casos. Este problema se ha corregido en la versi\u00f3n 0.8.6. Para solucionarlo, los usuarios pueden configurar UV_INSECURE_NO_ZIP_VALIDATION=1 para volver al comportamiento anterior."
    }
  ],
  "id": "CVE-2025-54368",
  "lastModified": "2025-08-08T20:30:18.180",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-08T00:15:26.583",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://astral.sh/blog/uv-security-advisory-cve-2025-54368"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://blog.pypi.org/posts/2025-08-07-wheel-archive-confusion-attacks"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/astral-sh/uv/commit/7f1eaf48c193e045ca2c62c4581048765c55505f"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/astral-sh/uv/security/advisories/GHSA-8qf3-x8v5-2pj8"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        },
        {
          "lang": "en",
          "value": "CWE-436"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-54368 (GCVE-0-2025-54368)

Vulnerability from cvelistv5

opensuse-su-2025:15429-1

Vulnerability from csaf_opensuse

ghsa-8qf3-x8v5-2pj8

Vulnerability from github

Impact

Patches

Workarounds

Attribution

fkie_cve-2025-54368

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature