Path traversal in uv - #VU125723

 

Path traversal in uv - #VU125723

Published: April 9, 2026


Vulnerability identifier: #VU125723
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Astral
Affected software:
uv

Detailed vulnerability description

The vulnerability allows a remote user to delete arbitrary files.

The vulnerability exists due to improper path restriction in RECORD entry handling when uninstalling a wheel with crafted relative paths. A remote user can provide a specially crafted wheel to delete arbitrary files.

User interaction is required to install and later uninstall the malformed wheel. Only files can be deleted, and the crafted RECORD entries must be manually manipulated to traverse outside the installation prefix.


Remediation

Install security update from vendor's website.

Sources