ghsa-8qf3-x8v5-2pj8
Vulnerability from github
Published
2025-08-07 20:52
Modified
2025-08-08 14:54
Severity ?
6.8 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
uv allows ZIP payload obfuscation through parsing differentials
Details

Impact

In versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. This enabled two parser differentials against other Python package installers:

  1. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. The attacker could choose which installer to target.
  2. An attacker could contrive a "stacked" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target.

In both cases, the outcome is that an attacker can produce a ZIP with a consistent digest that expands differently with different installers.

The ZIP standard is ambiguous with respect to these behavior differentials. Consequently, these same differentials may be accepted ZIP parsers other than those used in uv. This advisory is for uv in particular, but all consumers of ZIP-based Python package distributions, e.g., pip, are potentially susceptible to similar parser differentials in other ZIP parsers.

The practical impact of these differentials is limited by a number of factors:

  • To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run uv install $package with an attacker-controlled $package.
  • When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g., python -c "import $package".
  • If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.
  • The practical impact of these differentials is limited by a coordinated fix to Warehouse, PyPI's backend: Warehouse now rejects ZIPs exhibiting these differentials, limiting the ability of an attacker to distribute malicious ZIP distributions via PyPI. As part of that coordinated fix, a review of Warehouse revealed no evidence of exploitation.

Patches

Versions 0.8.6 and newer of uv address both of the parser differentials above, by refusing to process ZIPs with duplicated local file entries or stacked contents.

Workarounds

Users are advised to upgrade to 0.8.6 or newer to address this advisory.

Most users should experience no breaking changes as a result of the patch above. However, users who do experience breakage should carefully review their distributions for signs of malicious intent. Users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.

Attribution

This vulnerability was discovered separately by two different individuals: Caleb Brown (Google) and Tim Hatch (Netflix).

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.5"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "uv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-07T20:52:44Z",
    "nvd_published_at": "2025-08-08T00:15:26Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nIn versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive\u0027s central directory. This enabled two parser differentials against other Python package installers:\n\n1. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. The attacker could choose which installer to target.\n2. An attacker could contrive a \"stacked\" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target.\n\nIn both cases, the outcome is that an attacker can produce a ZIP with a consistent digest that expands differently with different installers.\n\nThe [ZIP standard](https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT) is ambiguous with respect to these behavior differentials. Consequently, these same differentials may be accepted ZIP parsers other than those used in uv. This advisory is for uv in particular, but all consumers of ZIP-based Python package distributions, e.g., pip, are potentially susceptible to similar parser differentials in other ZIP parsers.\n\nThe practical impact of these differentials is limited by a number of factors:\n\n- To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run `uv install $package` with an attacker-controlled `$package`.\n- When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g., `python -c \"import $package\"`.\n- If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.\n- The practical impact of these differentials is limited by a coordinated fix to [Warehouse](https://github.com/pypi/warehouse), PyPI\u0027s backend: Warehouse now rejects ZIPs exhibiting these differentials, limiting the ability of an attacker to distribute malicious ZIP distributions via PyPI. As part of that coordinated fix, a review of Warehouse revealed no evidence of exploitation.\n\n## Patches\n\nVersions 0.8.6 and newer of uv address both of the parser differentials above, by refusing to process ZIPs with duplicated local file entries or stacked contents.\n\n## Workarounds\n\nUsers are advised to upgrade to 0.8.6 or newer to address this advisory.\n\nMost users should experience no breaking changes as a result of the patch above. However, users who do experience breakage should carefully review their distributions for signs of malicious intent. Users may choose to set `UV_INSECURE_NO_ZIP_VALIDATION=1` to revert to the previous behavior.\n\n## Attribution\n\nThis vulnerability was discovered separately by two different individuals: Caleb Brown (Google) and Tim Hatch (Netflix).",
  "id": "GHSA-8qf3-x8v5-2pj8",
  "modified": "2025-08-08T14:54:11Z",
  "published": "2025-08-07T20:52:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/astral-sh/uv/security/advisories/GHSA-8qf3-x8v5-2pj8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54368"
    },
    {
      "type": "WEB",
      "url": "https://github.com/astral-sh/uv/commit/7f1eaf48c193e045ca2c62c4581048765c55505f"
    },
    {
      "type": "WEB",
      "url": "https://astral.sh/blog/uv-security-advisory-cve-2025-54368"
    },
    {
      "type": "WEB",
      "url": "https://blog.pypi.org/posts/2025-08-07-wheel-archive-confusion-attacks"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/astral-sh/uv"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "uv allows ZIP payload obfuscation through parsing differentials"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.