Browse all 5 CVE security advisories affecting astral-sh. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Astral-sh is a shell implementation primarily used for Unix-like environments, offering command-line interface capabilities. Historically, it has been associated with multiple remote code execution vulnerabilities, cross-site scripting issues, and privilege escalation flaws. The project maintains five CVE records, with several RCE vulnerabilities allowing attackers to execute arbitrary code through crafted input or environment variables. While no major public security incidents have been documented, the consistent discovery of critical flaws suggests potential risks in environments where astral-sh handles untrusted input. Its lightweight design introduces security considerations similar to other shell implementations, particularly when processing complex command structures or network-derived data.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-32766 | astral-tokio-tar insufficiently validates PAX extensions during extraction — tokio-tarCWE-436 | 9.1 | - | 2026-03-20 |
| CVE-2025-13327 | Uv: uv: specially crafted zip archives lead to arbitrary code execution due to parsing differentials — uvCWE-1286 | 6.3 | Medium | 2026-02-27 |
| CVE-2025-62518 | astral-tokio-tar Vulnerable to PAX Header Desynchronization — tokio-tarCWE-843 | 8.1 | High | 2025-10-21 |
| CVE-2025-59825 | astral-tokio-tar has a path traversal in tar extraction — tokio-tarCWE-22 | 7.5 | - | 2025-09-23 |
| CVE-2025-54368 | uv is vulnerable to ZIP payload obfuscation through parsing differentials — uvCWE-436 | 9.1 | - | 2025-08-08 |
This page lists every published CVE security advisory associated with astral-sh. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.