Headline
GHSA-8qf3-x8v5-2pj8: uv allows ZIP payload obfuscation through parsing differentials
Impact
In versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive’s central directory. This enabled two parser differentials against other Python package installers:
- An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. The attacker could choose which installer to target.
- An attacker could contrive a “stacked” ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target.
In both cases, the outcome is that an attacker can produce a ZIP with a consistent digest that expands differently with different installers.
The ZIP standard is ambiguous with respect to these behavior differentials. Consequently, these same differentials may be accepted ZIP parsers other than those used in uv. This advisory is for uv in particular, but all consumers of ZIP-based Python package distributions, e.g., pip, are potentially susceptible to similar parser differentials in other ZIP parsers.
The practical impact of these differentials is limited by a number of factors:
- To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run
uv install $packagewith an attacker-controlled$package. - When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g.,
python -c "import $package". - If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.
- The practical impact of these differentials is limited by a coordinated fix to Warehouse, PyPI’s backend: Warehouse now rejects ZIPs exhibiting these differentials, limiting the ability of an attacker to distribute malicious ZIP distributions via PyPI. As part of that coordinated fix, a review of Warehouse revealed no evidence of exploitation.
Patches
Versions 0.8.6 and newer of uv address both of the parser differentials above, by refusing to process ZIPs with duplicated local file entries or stacked contents.
Workarounds
Users are advised to upgrade to 0.8.6 or newer to address this advisory.
Most users should experience no breaking changes as a result of the patch above. However, users who do experience breakage should carefully review their distributions for signs of malicious intent. Users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.
Attribution
This vulnerability was discovered separately by two different individuals: Caleb Brown (Google) and Tim Hatch (Netflix).
Impact
In versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive’s central directory. This enabled two parser differentials against other Python package installers:
- An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. The attacker could choose which installer to target.
- An attacker could contrive a “stacked” ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target.
In both cases, the outcome is that an attacker can produce a ZIP with a consistent digest that expands differently with different installers.
The ZIP standard is ambiguous with respect to these behavior differentials. Consequently, these same differentials may be accepted ZIP parsers other than those used in uv. This advisory is for uv in particular, but all consumers of ZIP-based Python package distributions, e.g., pip, are potentially susceptible to similar parser differentials in other ZIP parsers.
The practical impact of these differentials is limited by a number of factors:
- To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run uv install $package with an attacker-controlled $package.
- When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g., python -c "import $package".
- If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.
- The practical impact of these differentials is limited by a coordinated fix to Warehouse, PyPI’s backend: Warehouse now rejects ZIPs exhibiting these differentials, limiting the ability of an attacker to distribute malicious ZIP distributions via PyPI. As part of that coordinated fix, a review of Warehouse revealed no evidence of exploitation.
Patches
Versions 0.8.6 and newer of uv address both of the parser differentials above, by refusing to process ZIPs with duplicated local file entries or stacked contents.
Workarounds
Users are advised to upgrade to 0.8.6 or newer to address this advisory.
Most users should experience no breaking changes as a result of the patch above. However, users who do experience breakage should carefully review their distributions for signs of malicious intent. Users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.
Attribution
This vulnerability was discovered separately by two different individuals: Caleb Brown (Google) and Tim Hatch (Netflix).
References
- GHSA-8qf3-x8v5-2pj8
- astral-sh/uv@7f1eaf4
- https://astral.sh/blog/uv-security-advisory-cve-2025-54368
- https://blog.pypi.org/posts/2025-08-07-wheel-archive-confusion-attacks