uv security advisory: ZIP payload obfuscation

Source: Astral Date: 2025-08-07 URL: https://astral.sh/blog/uv-security-advisory-cve-2025-54368

Summary

CVE-2025-54368: uv v0.8.6 patches two ZIP parsing differentials — dangling local file entries with no central directory header, and ambiguous offset specs that caused “doubled ZIP” behaviour — that could let a crafted package extract differently under uv vs other installers. PyPI confirmed no exploitation in the wild during the exposure window; PyPI has since added upload-side checks. Three innocent encoding errors found across the top 15,000 packages, no breaking changes for most users.

Implications

Supply-chain security is now uv’s problem to own. As uv becomes the default installer for a significant share of the Python ecosystem, its ZIP parser is a meaningful attack surface. This advisory shows Astral is treating that responsibility seriously — the fix tightens reconciliation between local and central directory headers, and the disclosure is clean and specific. The parallel thread: PyPI’s own defences improved as a direct result of this work, which is the correct systemic outcome. Watch for similar advisories as uv’s install-path footprint grows past pip and virtualenv.