CVE-2025-54368: uv allows ZIP payload obfuscation through parsing differentials

In versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive’s central directory. This enabled two parser differentials against other Python package installers:

1. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. The attacker could choose which installer to target.
2. An attacker could contrive a “stacked” ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target.

In both cases, the outcome is that an attacker can produce a ZIP with a consistent digest that expands differently with different installers.

The ZIP standard is ambiguous with respect to these behavior differentials. Consequently, these same differentials may be accepted ZIP parsers other than those used in uv. This advisory is for uv in particular, but all consumers of ZIP-based Python package distributions, e.g., pip, are potentially susceptible to similar parser differentials in other ZIP parsers.

The practical impact of these differentials is limited by a number of factors:

• To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run uv install $package with an attacker-controlled $package.
• When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g., python -c "import $package".
• If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.
• The practical impact of these differentials is limited by a coordinated fix to Warehouse, PyPI’s backend: Warehouse now rejects ZIPs exhibiting these differentials, limiting the ability of an attacker to distribute malicious ZIP distributions via PyPI. As part of that coordinated fix, a review of Warehouse revealed no evidence of exploitation.