CVE-2025-13327

EPSS 0.15%
Veröffentlicht 27.02.2026 07:30:20
Zuletzt bearbeitet 17.03.2026 21:06:40
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Uv: uv: specially crafted zip archives lead to arbitrary code execution due to parsing differentials

A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Astral ≫ Uv SwPlatformpython Version < 0.9.6

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.045

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.3	0.3	5.9	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
secalert@redhat.com	6.3	0.3	5.9	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE-1286 Improper Validation of Syntactic Correctness of Input

The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.

https://access.redhat.com/security/cve/CVE-2025-13327

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2407263

Issue Tracking

https://github.com/astral-sh/uv

Product

https://github.com/astral-sh/uv/commit/da659fee4898a73dbc75070f3e82d49f745e4628

Patch

https://github.com/astral-sh/uv/security/advisories/GHSA-pqhf-p39g-3x64

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-13327

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-13327

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-13327

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-13327