Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.8
Malicious Code Execution in ZIP Archives on UV Software
GHSA-pqhf-p39g-3x64
CVE-2025-13327
Summary
A security issue has been found in UV software that allows an attacker to trick users into installing malicious code from a specially crafted ZIP file. This could lead to unauthorized actions on a system. To stay safe, users should only download packages from trusted sources and verify the authenticity of ZIP archives before opening them.
What to do
- Update uv to version 0.9.6.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | uv | <= 0.9.5 | 0.9.6 |
| – | uv | <= 0.9.6 | 0.9.6 |
Original title
A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives tha...
Original description
A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package.
ghsa CVSS4.0
6.8
Vulnerability type
CWE-20
Improper Input Validation
CWE-436
CWE-1286
- https://github.com/astral-sh/uv/security/advisories/GHSA-pqhf-p39g-3x64
- https://github.com/astral-sh/uv/commit/da659fee4898a73dbc75070f3e82d49f745e4628
- https://github.com/advisories/GHSA-pqhf-p39g-3x64
- https://nvd.nist.gov/vuln/detail/CVE-2025-13327
- https://github.com/advisories/GHSA-v653-r55g-hcmg
- https://access.redhat.com/security/cve/CVE-2025-13327 URL
- https://bugzilla.redhat.com/show_bug.cgi?id=2407263 Third Party Advisory
- https://github.com/astral-sh/uv Product
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026