CVE-2025-13327

A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.3 MEDIUM
LOCAL
HIGH
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
redhatCNA
6.3 MEDIUM
LOCAL
HIGH
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2025-13327
https://bugzilla.redhat.com/show_bug.cgi?id=2407263
https://github.com/astral-sh/uv
https://github.com/astral-sh/uv/commit/da659fee4898a73dbc75070f3e82d49f745e4628
https://github.com/astral-sh/uv/security/advisories/GHSA-pqhf-p39g-3x64