CVE-2025-13327
Description
A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2025-13327 NameCVE-2025-13327 DescriptionA flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec,โฆ
CVE-2025-13327
| Name | CVE-2025-13327 |
| Description | A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| uv (PTS) | forky, sid | 0.9.17+ds1-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| uv | source | (unstable) | (not affected) |
Notes
- uv <not-affected> (Fixed before the initial upload to the archive)
Apply commands
- uv <not-affected> (Fixed before the initial upload to the archive)OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
References
- https://github.com/astral-sh/uv/security/advisories/GHSA-pqhf-p39g-3x64
- https://github.com/astral-sh/uv/commit/da659fee4898a73dbc75070f3e82d49f745e4628
- https://github.com/astral-sh/uv
- https://www.suse.com/security/cve/CVE-2025-13327.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-13327
- https://access.redhat.com/security/cve/CVE-2025-13327
- https://bugzilla.redhat.com/show_bug.cgi?id=2407263
- https://security-tracker.debian.org/tracker/CVE-2025-13327
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.