Path traversal in uv - #VU125723
Published: April 9, 2026
uv
Detailed vulnerability description
The vulnerability allows a remote user to delete arbitrary files.
The vulnerability exists due to improper path restriction in RECORD entry handling when uninstalling a wheel with crafted relative paths. A remote user can provide a specially crafted wheel to delete arbitrary files.
User interaction is required to install and later uninstall the malformed wheel. Only files can be deleted, and the crafted RECORD entries must be manually manipulated to traverse outside the installation prefix.