Alerts This Week
Warning Icon 1 626
Alerts This Week
Warning Icon 1 626

Warning: Undefined array key "Description" in /var/www/www.linuxsecurity.com-443/html/lsadvisories/lsadvisories.php on line 220

Fedora 42: uv Critical Path Traversal Issue CVE-2025-59825 Advisory

fedora
Calendar Grey October 3, 2025
Dist Fedora Esm H88
Addressing critical path traversal issue for uv in Fedora 42 with CVE-2025-59825, urgent update recommended.
Security update for path traversal CVE-2025-59825 / GHSA-3wgq-wrwc-vqmv.

Summary

An extremely fast Python package installer and resolver, written in Rust.

Designed as a drop-in replacement for common pip and pip-tools workflows.

Highlights:

\u2022 \u2696\ufe0f Drop-in replacement for common pip, pip-tools, and virtualenv commands.

\u2022 \u26a1\ufe0f 10-100x faster than pip and pip-tools (pip-compile and pip-sync).

\u2022 \U0001f4be Disk-space efficient, with a global cache for dependency deduplication.

\u2022 \U0001f40d Installable via curl, pip, pipx, etc. uv is a static binary that can be

installed without Rust or Python.

\u2022 \U0001f9ea Tested at-scale against the top 10,000 PyPI packages.

\u2022 \U0001f5a5\ufe0f Support for macOS, Linux, and Windows.

\u2022 \U0001f9f0 Advanced features such as dependency version overrides and alternative

resolution strategies.

\u2022 \u2049\ufe0f Best-in-class error messages with a conflict-tracking resolver.

\u2022 \U0001f91d Support for a wide range of advanced pip features, including editable

installs, Git dependencies, direct URL dependencies, local dependencies,

constraints, source distributions, HTML and JSON indexes, and more.

Update Information:

Security update for path traversal CVE-2025-59825 / GHSA-3wgq-wrwc-vqmv.

Topics%20covered

Topics Covered

security advisory fedora update critical path traversal uv

Change Log

* Wed Sep 24 2025 Benjamin A. Beasley - 0.8.11-4 - Rebuilt with astral-tokio-tar version 0.5.5 - Security fix for path traversal CVE-2025-59825 / GHSA-3wgq-wrwc-vqmv * Fri Sep 19 2025 Python Maint - 0.8.11-3 - Rebuilt for Python 3.14.0rc3 bytecode

References


[ 1 ] Bug #2397719 - CVE-2025-59825 rust-astral-tokio-tar: astral-tokio-tar path traversal [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2397719 [ 2 ] Bug #2397720 - CVE-2025-59825 uv: astral-tokio-tar path traversal [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2397720

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-5e50082948' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: uv
Product: Fedora 42
Version: 0.8.11
Release: 4.fc42
URL: https://github.com/astral-sh/uv
Summary: An extremely fast Python package installer and resolver, written in Rust

Topics%20covered

Topics Covered

security advisory fedora update critical path traversal uv

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here