#VU125722 Improper input validation in uv - CVE-2025-62518
Published: April 9, 2026
Vulnerability identifier: #VU125722
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-62518
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
uv
uv
Software vendor:
Astral
Astral
Description
The vulnerability allows a remote attacker to cause inconsistent extraction behavior.
The vulnerability exists due to improper input validation in tar extraction handling when processing source distribution tar archives containing PAX headers with file size overrides. A remote attacker can provide a specially crafted source distribution to cause inconsistent extraction behavior.
Only source distributions formatted as tar archives are affected.
Remediation
Install security update from vendor's website.