GHSA-pjjw-68hj-v9mw: uv vulnerable to arbitrary file deletion through RECORD entries
Wheel RECORD entries can contain relative paths that traverse outside of the wheel’s installation prefix. In versions 0.11.5 and earlier of uv, these wheels were not rejected on installation and the RECORD was respected without validation on uninstall.
uv uses the RECORD to determine files to remove on uninstall. Consequently, a malicious or malformed wheel could induce deletion of arbitrary files outside of the wheel’s installation prefix on uninstall.
uv does not use the RECORD file to determine wheel file paths. Invalid RECORD entries cannot be used to create or modify files in arbitrary locations.
Standards-compliant Python packaging tooling does not produce RECORD files that exhibit this behavior; an attacker must manually manipulate the RECORD. A user must install and uninstall the malformed wheel to be affected. An attack must guess the depth of the installation prefix path in order to target system files.
Absolute paths in RECORD files are not allowed by the specification and, when present, uv always treats them as rooted in the wheel’s installation prefix. Absolute paths cannot be used to delete arbitrary files.
Only files can be deleted, attempts to delete a directory via an invalid RECORD entry will fail.
References
- github.com/advisories/GHSA-pjjw-68hj-v9mw
- github.com/astral-sh/uv
- github.com/astral-sh/uv/commit/7983c7a5bef236fd8a04580fcedae7bd5bde4cdb
- github.com/astral-sh/uv/commit/a0e461ac44851f9a0f6e8974733e77d46f7a9ea9
- github.com/astral-sh/uv/pull/18942
- github.com/astral-sh/uv/pull/18943
- github.com/astral-sh/uv/releases/tag/0.11.6
- github.com/astral-sh/uv/security/advisories/GHSA-pjjw-68hj-v9mw
Code Behaviors & Features
Detect and mitigate GHSA-pjjw-68hj-v9mw with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →