GHSA-pjjw-68hj-v9mw

## Impact

Wheel RECORD entries can contain relative paths that traverse outside of the wheel’s installation prefix. In versions 0.11.5 and earlier of uv, these wheels were not rejected on installation and the RECORD was respected without validation on uninstall.

uv uses the RECORD to determine files to remove on uninstall. Consequently, a malicious or malformed wheel could induce deletion of arbitrary files outside of the wheel’s installation prefix on uninstall.

uv does not use the RECORD file to determine wheel file paths. Invalid RECORD entries cannot be used to create or modify files in arbitrary locations.

Standards-compliant Python packaging tooling does not produce RECORD files that exhibit this behavior; an attacker must manually manipulate the RECORD. A user must install *and* uninstall the malformed wheel to be affected. An attack must guess the depth of the installation prefix path in order to target system files.

Absolute paths in RECORD files are not allowed by the specification and, when present, uv always treats them as rooted in the wheel’s installation prefix. Absolute paths cannot be used to delete arbitrary files.

Only files can be deleted, attempts to delete a directory via an invalid RECORD entry will fail.

## Patches

Versions [0.11.6](https://github.com/astral-sh/uv/releases/tag/0.11.6) and newer of uv address the validation gap above, by [removing invalid entries from RECORD files on wheel installation](https://github.com/astral-sh/uv/pull/18943) and [ignoring RECORD paths that would escape the installation prefix on uninstall](https://github.com/astral-sh/uv/pull/18942).

## Workarounds

Users are advised to upgrade to 0.11.6 or newer to address this advisory.

Users should experience no breaking changes as a result of the patch above.