#VU125723 Path traversal in uv
Published: April 9, 2026
Vulnerability identifier: #VU125723
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
uv
uv
Software vendor:
Astral
Astral
Description
The vulnerability allows a remote user to delete arbitrary files.
The vulnerability exists due to improper path restriction in RECORD entry handling when uninstalling a wheel with crafted relative paths. A remote user can provide a specially crafted wheel to delete arbitrary files.
User interaction is required to install and later uninstall the malformed wheel. Only files can be deleted, and the crafted RECORD entries must be manually manipulated to traverse outside the installation prefix.
Remediation
Install security update from vendor's website.