Vulnerability	Vulnerable Version
M Improper Validation of Syntactic Correctness of Input uv is an An extremely fast Python package and project manager, written in Rust. Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in ZIP archives filenames processing. An attacker can cause malicious code to be executed or files to be extracted differently across Python package installers by crafting a ZIP archive with specially constructed central directory comments or ambiguous filename fields. This is only exploitable if a user installs an attacker-controlled package and, in the case of wheel distributions, executes a separate invocation such as importing the package after installation. How to fix Improper Validation of Syntactic Correctness of Input? Upgrade `uv` to version 0.9.6 or higher.	[,0.9.6)

Improper Validation of Syntactic Correctness of Input

uv is an An extremely fast Python package and project manager, written in Rust.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in ZIP archives filenames processing. An attacker can cause malicious code to be executed or files to be extracted differently across Python package installers by crafting a ZIP archive with specially constructed central directory comments or ambiguous filename fields. This is only exploitable if a user installs an attacker-controlled package and, in the case of wheel distributions, executes a separate invocation such as importing the package after installation.

How to fix Improper Validation of Syntactic Correctness of Input?

Upgrade uv to version 0.9.6 or higher.

[,0.9.6)

Go back to all versions of this package