Skip to content

Seth Larson

Preventing ZIP parser confusion attacks on Python package installers

The Python Package Index is introducing new restrictions to protect Python package installers and inspectors from confusion attacks arising from ZIP parser implementations. This has been done in response to the discovery that the popular installer uv has a different extraction behavior to many Python-based installers that use the ZIP parser implementation provided by the zipfile standard library module.

Summary

  • ZIP archives constructed to exploit ZIP confusion attacks are now rejected by PyPI.
  • There is no evidence that this vulnerability has been exploited using PyPI.
  • PyPI is deprecating wheel distributions with incorrect RECORD files.

Please see this blog post and CVE-2025-54368 for more information on uv's patch.

Supply-chain attack analysis: Ultralytics

Last week, the Python project “ultralytics” suffered a supply-chain attack through a compromise of the projects’ GitHub Actions workflows and subsequently its PyPI API token. No security flaw in PyPI was used to execute this attack. Versions 8.3.41, 8.3.42, 8.3.45, and 8.3.46 were affected and have been removed from PyPI.