GHSA-4GG8-GXPX-9RPH uv is vulnerable to arbitrary file write through entry point names

Impact In versions of uv prior to 0.11.15, when installing a distribution containing an entry point specification under consolescripts or guiscripts, uv would place the generated entry point according to the given name even if doing so resulted in a path outside of the environment's scripts...

uv is vulnerable to arbitrary file write through entry point names

Impact In versions of uv prior to 0.11.15, when installing a distribution containing an entry point specification under consolescripts or guiscripts, uv would place the generated entry point according to the given name even if doing so resulted in a path outside of the environment's scripts...

PT-2026-47548

Impact In versions of uv prior to 0.11.15, when installing a distribution containing an entry point specification under console scripts or gui scripts, uv would place the generated entry point according to the given name even if doing so resulted in a path outside of the environment's scripts...

uv vulnerable to arbitrary file deletion through RECORD entries

Impact Wheel RECORD entries can contain relative paths that traverse outside of the wheel’s installation prefix. In versions 0.11.5 and earlier of uv, these wheels were not rejected on installation and the RECORD was respected without validation on uninstall. uv uses the RECORD to determine files...

CVE-2025-13327 Uv: uv: specially crafted zip archives lead to arbitrary code execution due to parsing differentials

A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP Zipped Information Package archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package...

Fedora 42 : openapi-python-client / python-uv-build / ruff / etc (2025-a77c1f005b)

The remote Fedora 42 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2025-a77c1f005b advisory. uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for...

GHSA-PQHF-P39G-3X64 uv allows ZIP payload obfuscation through parsing differentials

Impact In versions 0.9.5 and earlier of uv, ZIP archives were handled in a manner that enabled two parsing differentials against other components of the Python packaging ecosystem: 1. Central directory entries in a ZIP archive can contain comment fields. However, uv would assume that these fields...

GHSA-W476-P2H3-79G9 uv has differential in tar extraction with PAX headers

Impact In versions 0.9.4 and earlier of uv, tar archives containing PAX headers with file size overrides were not handled properly. As a result, an attacker could contrive a source distribution as a tar archive that would extract differently when installed via uv versus other Python package...

Fedora 41 : rust-secret-service / uv (2025-c71f0af9b2)

The remote Fedora 41 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2025-c71f0af9b2 advisory. Security fix for CVE-2025-58160: rebuilt uv and python-uv-build with rust-tracing-subscriber 0.3.20. Initial package for rust-secret-service in Fedora 43...

GHSA-8QF3-X8V5-2PJ8 uv allows ZIP payload obfuscation through parsing differentials

Impact In versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. This enabled two parser differentials against other Python package installers: 1. An attacker could contrive a ZIP...