Homepage

uv@0.9.0 vulnerabilities

An extremely fast Python package and project manager, written in Rust.

  • latest version

    0.9.7

  • latest non vulnerable version

    0.9.7

  • first published

    1 years ago

  • latest version published

    4 days ago

  • licenses detected

  • View uv package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the uv package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Improper Validation of Syntactic Correctness of Input

    uv is an An extremely fast Python package and project manager, written in Rust.

    Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in ZIP archives filenames processing. An attacker can cause malicious code to be executed or files to be extracted differently across Python package installers by crafting a ZIP archive with specially constructed central directory comments or ambiguous filename fields. This is only exploitable if a user installs an attacker-controlled package and, in the case of wheel distributions, executes a separate invocation such as importing the package after installation.

    How to fix Improper Validation of Syntactic Correctness of Input?

    Upgrade uv to version 0.9.6 or higher.

    [,0.9.6)
    Go back to all versions of this package