Improper Validation of Syntactic Correctness of Input Affecting uv package, versions [,0.9.6)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-UV-13786939
- published31 Oct 2025
- disclosed29 Oct 2025
- creditCaleb Brown
Introduced: 29 Oct 2025
New CVE NOT AVAILABLE CWE-1286 (opens in a new tab)How to fix?
Upgrade uv to version 0.9.6 or higher.
Overview
uv is an An extremely fast Python package and project manager, written in Rust.
Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in ZIP archives filenames processing. An attacker can cause malicious code to be executed or files to be extracted differently across Python package installers by crafting a ZIP archive with specially constructed central directory comments or ambiguous filename fields. This is only exploitable if a user installs an attacker-controlled package and, in the case of wheel distributions, executes a separate invocation such as importing the package after installation.