关键漏洞信息 漏洞ID: Bug 2407263 (CVE-2025-13327, GHSA-pqhf-p39g-3x64) 漏洞描述: Specially crafted ZIP archives can lead to arbitrary code execution due to parsing differentials. 报告日期: 2025-10-29 23:06 UTC 状态: NEW 产品: Security Response 组件: vulnerability 版本: unspecified OS: Linux 优先级: medium 严重性: medium 报告人: OSIDB Bzimport 影响 ZIP处理问题: In versions 0.9.5 and earlier of , ZIP archives were handled in a way that enabled two parsing differentials against other components of the Python packaging ecosystem. - Central directory entries in a ZIP archive could contain comment fields, but would not interpret or process them. An attacker could leverage this by constructing a ZIP archive with specially crafted comment fields to exploit this vulnerability. - Both local file entries and central directory entries can contain filename fields. If these fields contain ASCII null bytes, Python's module truncates the filename at the first null byte. would not handle this consistently, leading to potential arbitrary code execution. 解决方案 升级版本: Users are advised to upgrade to version 0.9.6 or newer, which addresses both parsing differentials by properly handling comments in central directory entries and refusing to process ZIPs with unusual filename fields. 环境变量: Users experiencing issues can set to revert to previous behavior.