CNNVD-202508-797 Information
CNNVD ID
CNNVD-202508-797
Related CVE
- CNNVD Published: 2025-08-08
Description (Chinese)
Astral-sh uv是Astral公司的一个Python包管理工具。 Astral-sh uv 0.8.5及之前版本存在安全漏洞,该漏洞源于ZIP存档处理不当,可能导致恶意代码执行。
Description (English)
Astral-sh uv is a Python package management tool for Astral. There is a security loophole in Astral-sh uv 0.8.5 and earlier versions, which stems from the inappropriate handling of ZIP archives and may lead to malicious code enforcement.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
Astral
Published
2025-08-08
Last Modified
2026-02-24
References
https://github.com/astral-sh/uv/commit/7f1eaf48c193e045ca2c62c4581048765c55505f https://blog.pypi.org/posts/2025-08-07-wheel-archive-confusion-attacks https://astral.sh/blog/uv-security-advisory-cve-2025-54368 https://github.com/astral-sh/uv/security/advisories/GHSA-8qf3-x8v5-2pj8 https://vigilance.fr/vulnerability/uv-directory-traversal-via-ZIP-Archives-48025
Patch
https://github.com/astral-sh/uv/releases
Share on: