N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-pqhf-p39g-3x64

EPSS Score

CWE

CWE-20

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-pqhf-p39g-3x64

GHSA-pqhf-p39g-3x64: uv allows ZIP payload obfuscation through parsing differentials

Impact

In versions 0.9.5 and earlier of uv, ZIP archives were handled in a manner that enabled two parsing differentials against other components of the Python packaging ecosystem:

Central directory entries in a ZIP archive can contain comment fields. However, uv would assume that these fields were not present, since they aren't widely used. Consequently, a ZIP archive could be constructed where uv would interpret the contents of a central directory comment field as ZIP control structures (such as a new central directory entry), rather than skipping over them.
Both local file entries and central directory entries contain filename fields, which are used to place archive members on disk. These fields are arbitrary sequences of bytes, and may therefore be invalid or ambiguous. For example, they may contain ASCII null bytes, in which case different ZIP extractors behave differently: Python's zipfile module truncates the filename at the first null, while uv would skip (not extract) any archive members whose filenames contained nulls. Because of this difference, a ZIP archive could be constructed that would extract differently across different Python package installers.

In both cases, the outcome is that an attacker may be able to produce a ZIP with a consistent digest that expands differently with different Python package installers.

Like with GHSA-8qf3-x8v5-2pj8, the impact of these differentials is limited by a number of factors:

To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run uv pip install $package or similar with an attacker-controlled $package. When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g., python -c "import $package".
If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.

Patches

Versions 0.9.6 and newer of uv address both of the parser differentials above, by properly handling comments in central directory entries and by refusing to process ZIPs that contain filename fields that are unlikely to be interpreted consistently across other ZIP parser implementations.

Workarounds

Users are advised to upgrade to 0.9.6 or newer to address this advisory.

Most users should experience no breaking changes as a result of the patch above. However, users who do experience breakage should carefully review their distributions for signs of malicious intent. Users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.

Attribution

This vulnerability was disclosed by Caleb Brown (Google).

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-pqhf-p39g-3x64

EPSS Score

CWE

CWE-20

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
uv	pip	<= 0.9.5	0.9.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in how uv processes ZIP archives, which is a core part of its functionality for installing Python packages. The analysis of the patch da659fee4898a73dbc75070f3e82d49f745e4628 reveals two main points of failure that were fixed.

First, the async_zip dependency was updated. The commit for the new revision in the forked repository astral-sh/rs-async-zip has a message indicating it fixes handling of ZIP entry comments. This directly corresponds to the first issue described in the advisory, where uv would misinterpret comment fields in the ZIP's central directory. This part of the vulnerability is within the async_zip dependency.

Second, uv's own code was changed to add validation for filenames within the archive. A new function, validate_archive_member_name, was introduced in crates/uv-extract/src/lib.rs to check for empty filenames and control characters (like null bytes). This addresses the second issue from the advisory, where uv handled filenames with null bytes differently from other tools like Python's zipfile module.

The vulnerable functions are the ones that orchestrate the ZIP extraction process, as they were the entry points for the vulnerable logic. These are uv_extract::stream::unzip (for async extraction) and uv_extract::sync::unzip (for sync extraction). Both functions were modified to call the new validate_archive_member_name function. Before the patch, these functions would extract files from ZIP archives without proper validation, making them vulnerable to the described parsing differentials. An attacker could exploit this by crafting a malicious wheel or source distribution in a ZIP format, which, when installed with uv pip install, could lead to unexpected behavior and potentially arbitrary code execution.

Vulnerable functions

uv_extract::stream::unzip

crates/uv-extract/src/stream.rs

This asynchronous function is responsible for unpacking ZIP archives. Before the patch, it did not validate filenames for malicious characters (like null bytes) and used a version of the `async_zip` library that incorrectly handled comments in ZIP central directory entries. This could lead to a parsing differential where a specially crafted ZIP file is interpreted differently by `uv` compared to other tools, potentially leading to the execution of malicious code during package installation.

uv_extract::sync::unzip

crates/uv-extract/src/sync.rs

This function is the synchronous version for unpacking ZIP archives. Similar to its async counterpart, it was vulnerable because it did not validate filenames for malicious characters and relied on a vulnerable version of a ZIP parsing library. An attacker could craft a ZIP file that would be processed insecurely by this function.

WAF Protection Rules

WAF Rule

### Imp**t In v*rsions *.*.* *n* **rli*r o* uv, ZIP *r**iv*s w*r* **n*l** in * m*nn*r t**t *n**l** two p*rsin* *i***r*nti*ls ***inst ot**r *ompon*nts o* t** Pyt*on p**k**in* **osyst*m: *. **ntr*l *ir**tory *ntri*s in * ZIP *r**iv* **n *ont*in *omm*

Reasoning

T** vuln*r**ility li*s in *ow `uv` pro**ss*s ZIP *r**iv*s, w*i** is * *or* p*rt o* its *un*tion*lity *or inst*llin* Pyt*on p**k***s. T** *n*lysis o* t** p*t** `****************************************` r*v**ls two m*in points o* **ilur* t**t w*r* *ix

N/A

Basic Information

Concerned about an active attack path?

GHSA-pqhf-p39g-3x64: uv allows ZIP payload obfuscation through parsing differentials

Impact

Patches

Workarounds

Attribution

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI