Improper input validation in uv - CVE-2025-62518
Published: April 9, 2026
Vulnerability identifier: #VU125722
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-62518
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Astral
Affected software:
uv
uv
Detailed vulnerability description
The vulnerability allows a remote attacker to cause inconsistent extraction behavior.
The vulnerability exists due to improper input validation in tar extraction handling when processing source distribution tar archives containing PAX headers with file size overrides. A remote attacker can provide a specially crafted source distribution to cause inconsistent extraction behavior.
Only source distributions formatted as tar archives are affected.
How to mitigate CVE-2025-62518
Install security update from vendor's website.