> This has been done in response to the discovery that the popular installer uv has a different extraction behavior to many Python-based installers that use the ZIP parser implementation provided by the zipfile standard library module.
> For maintainers of installer projects: Ensure that your ZIP implementation follows the ZIP standard and checks the Central Directory before proceeding with decompression. See the CPython zipfile module for a ZIP implementation that implements this logic. Begin checking the RECORD file against ZIP contents and erroring or warning the user that the wheel is incorrectly formatted.
Good to know that I won't need to work around any issues with `zipfile` — and it would be rather absurd for any Python-based installer to use anything else to do the decompression. (Checking RECORD for consistency is straightforward, although of course it takes time.)
... but surely uv got its zip-decompression logic from a crate rather than hand-rolling it? How many other Rust projects out there might have questionable handling of zip files?
> PyPI already implements ZIP and tarball compression-bomb detection as a part of upload processing.
... The implication is that `zipfile` doesn't handle this. But perhaps it can't really? Are there valid uses for zips that work that way? (Or maybe there isn't a clear rule for what counts as a "bomb", and PyPI has to choose a threshold value?)
> and it would be rather absurd for any Python-based installer to use anything else to do the decompression.
You'd reasonably think, but it's difficult to assert this: a lot of people use third-party tooling (uv, but also a lot of hand-rolled stuff), and Python packages aren't always processed in a straight-line-from-the-index manner.
(I think a good reference example of this is security scanners: a scanner might fetch a wheel ZIP and analyze it, and use whatever ZIP implementation it pleases.)
It's also worth noting that one of the differentials here concerns the Central Directory, but the other one is more pernicious: the ZIP APPNOTE[1] isn't really clear about how implementations should key from to EOCDR back to the local file entries, and implementations have (reasonably, IMO) interpreted the language differently. Python's zipfile chooses to do it in one way that I think is justifiable, but it's a "true" differential in the sense that there's no golden answer.
> (Or maybe there isn't a clear rule for what counts as a "bomb", and PyPI has to choose a threshold value?)
Yes, it's this. There are legitimate uses for high-ratio archives (e.g. compressed OS images), but Python package distributions are (generally) not one of them. PyPI has its own compression ratio that's intended to be a sweet spot between "that was compressed really well" and "someone is trying to ZIP-bomb the index."
> You'd reasonably think, but it's difficult to assert this: a lot of people use third-party tooling (uv, but also a lot of hand-rolled stuff),
I mean, for people (like myself) explicitly attempting to implement alternatives to pip. And to my understanding, pip itself does use `zipfile` as well.
Are you proposing that there are people out there making package installers for personal use?
> and Python packages aren't always processed in a straight-line-from-the-index manner.
> Are you proposing that there are people out there making package installers for personal use?
I gave an example in the original comment: there's a lot of random ass tooling out there that treats Python wheels as a mostly opaque archive, and unpacks/repacks them in various ways. The original PEP behind wheels also (implicitly) expects this, since it refers to extraction with a "ZIP client" and not Python's zipfile specifically.
I think security scanners are a simple example, but Linux distros, Homebrew, etc. all also process Python package distributions in ways that mostly just assume a ZIP container, without additionally trying to exactly match how Python's `zipfile` behaves.
> I don't know what you have in mind here.
The security scanner example from the original comment.
Interesting. (I have neither the familarity with Rust, nor the willingness to spend time on it, to decide how much of this is the fault of the original vs the fork.)
Related to multiple .zip formats: I've found macOS Archive Utility sometimes refuses to extract early pkzip .zips created on MS-DOS, but yet Info-ZIP handles them just fine.
And, the macOS Archive Utility will complain that a proper .tar.bz2 is "corrupt" created using bzip2.
In general, be liberal in input and be conservative in output. Sometimes, this means using less features or certain older formats so that all/most things work without issues.
> In general, be liberal in input and be conservative in output.
That is a dangerous maxim in a world with malicious players. In fact this PyPI problem is precisely because zip files are being too readily accepted, even if they have ambiguous meaning. Their fix is (very sensibly) to be less liberal with their input.
This hasn't been considered well-regarded for a very long time. I'd say the opposite is dogmatic: we're in a post-Postel world[1], in part because of observed security failures over the last 30 years.
Maybe in the early days of the internet, or in closed systems, but in the open internet it's naive and actually leads to more brittle systems.
Sorry to repeat myself, but case in point is the article we're discussing! If something is accepted that is not in the specification then obviously its behaviour is unspecified. That means different implementations can easily have different behaviours, which can lead to security issues exactly like this one.
Even when there's no malice involved, it can often lead to de facto extensions to the specification. If several implementations accept something outside the standard (with roughly the same behaviour), and one accidentally produces it, then soon it becomes relied upon and all implementations need to handle it. Then the standard is no longer authoritative, or has to be retrospectively updated (see for example the huge part of the HTML spec that deals with otherwise invalid HTML).
(Search results for `npm package format` are entirely not useful for figuring out what an NPM package actually consists of, beyond containing a `package.json` file. `pypi package format` results look wildly different; the first result I get is https://packaging.python.org/en/latest/discussions/package-f... which is quite comprehensive about the exact information I want — disregarding for a moment the fact that I already know this stuff ;) The NPM search results, for me, start with a Geeks4Geeks tutorial on creating a package. Is there even anything analogous to the Python Packaging Authority — misunderstood and not-actually-authoritative as it is — for NPM?)
Ah. Python source distributions are the same, so there may be additional considerations there. Though in general it doesn't seem like there's much concern in the Python ecosystem about that, considering that building them will run arbitrary code anyway....
> This has been done in response to the discovery that the popular installer uv has a different extraction behavior to many Python-based installers that use the ZIP parser implementation provided by the zipfile standard library module.
> For maintainers of installer projects: Ensure that your ZIP implementation follows the ZIP standard and checks the Central Directory before proceeding with decompression. See the CPython zipfile module for a ZIP implementation that implements this logic. Begin checking the RECORD file against ZIP contents and erroring or warning the user that the wheel is incorrectly formatted.
Good to know that I won't need to work around any issues with `zipfile` — and it would be rather absurd for any Python-based installer to use anything else to do the decompression. (Checking RECORD for consistency is straightforward, although of course it takes time.)
... but surely uv got its zip-decompression logic from a crate rather than hand-rolling it? How many other Rust projects out there might have questionable handling of zip files?
> PyPI already implements ZIP and tarball compression-bomb detection as a part of upload processing.
... The implication is that `zipfile` doesn't handle this. But perhaps it can't really? Are there valid uses for zips that work that way? (Or maybe there isn't a clear rule for what counts as a "bomb", and PyPI has to choose a threshold value?)
> and it would be rather absurd for any Python-based installer to use anything else to do the decompression.
You'd reasonably think, but it's difficult to assert this: a lot of people use third-party tooling (uv, but also a lot of hand-rolled stuff), and Python packages aren't always processed in a straight-line-from-the-index manner.
(I think a good reference example of this is security scanners: a scanner might fetch a wheel ZIP and analyze it, and use whatever ZIP implementation it pleases.)
It's also worth noting that one of the differentials here concerns the Central Directory, but the other one is more pernicious: the ZIP APPNOTE[1] isn't really clear about how implementations should key from to EOCDR back to the local file entries, and implementations have (reasonably, IMO) interpreted the language differently. Python's zipfile chooses to do it in one way that I think is justifiable, but it's a "true" differential in the sense that there's no golden answer.
> (Or maybe there isn't a clear rule for what counts as a "bomb", and PyPI has to choose a threshold value?)
Yes, it's this. There are legitimate uses for high-ratio archives (e.g. compressed OS images), but Python package distributions are (generally) not one of them. PyPI has its own compression ratio that's intended to be a sweet spot between "that was compressed really well" and "someone is trying to ZIP-bomb the index."
[1]: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
> You'd reasonably think, but it's difficult to assert this: a lot of people use third-party tooling (uv, but also a lot of hand-rolled stuff),
I mean, for people (like myself) explicitly attempting to implement alternatives to pip. And to my understanding, pip itself does use `zipfile` as well.
Are you proposing that there are people out there making package installers for personal use?
> and Python packages aren't always processed in a straight-line-from-the-index manner.
I don't know what you have in mind here.
> Are you proposing that there are people out there making package installers for personal use?
I gave an example in the original comment: there's a lot of random ass tooling out there that treats Python wheels as a mostly opaque archive, and unpacks/repacks them in various ways. The original PEP behind wheels also (implicitly) expects this, since it refers to extraction with a "ZIP client" and not Python's zipfile specifically.
I think security scanners are a simple example, but Linux distros, Homebrew, etc. all also process Python package distributions in ways that mostly just assume a ZIP container, without additionally trying to exactly match how Python's `zipfile` behaves.
> I don't know what you have in mind here.
The security scanner example from the original comment.
> but surely uv got its zip-decompression logic from a crate rather than hand-rolling it?
well... https://github.com/astral-sh/rs-async-zip
Interesting. (I have neither the familarity with Rust, nor the willingness to spend time on it, to decide how much of this is the fault of the original vs the fork.)
Related to multiple .zip formats: I've found macOS Archive Utility sometimes refuses to extract early pkzip .zips created on MS-DOS, but yet Info-ZIP handles them just fine.
And, the macOS Archive Utility will complain that a proper .tar.bz2 is "corrupt" created using bzip2.
In general, be liberal in input and be conservative in output. Sometimes, this means using less features or certain older formats so that all/most things work without issues.
> In general, be liberal in input and be conservative in output.
That is a dangerous maxim in a world with malicious players. In fact this PyPI problem is precisely because zip files are being too readily accepted, even if they have ambiguous meaning. Their fix is (very sensibly) to be less liberal with their input.
No, it's a well-regarded, fundamental engineering principle of standard and interoperable systems.
This hasn't been considered well-regarded for a very long time. I'd say the opposite is dogmatic: we're in a post-Postel world[1], in part because of observed security failures over the last 30 years.
[1]: https://alexgaynor.net/2025/mar/25/postels-law-and-the-three...
Maybe in the early days of the internet, or in closed systems, but in the open internet it's naive and actually leads to more brittle systems.
Sorry to repeat myself, but case in point is the article we're discussing! If something is accepted that is not in the specification then obviously its behaviour is unspecified. That means different implementations can easily have different behaviours, which can lead to security issues exactly like this one.
Even when there's no malice involved, it can often lead to de facto extensions to the specification. If several implementations accept something outside the standard (with roughly the same behaviour), and one accidentally produces it, then soon it becomes relied upon and all implementations need to handle it. Then the standard is no longer authoritative, or has to be retrospectively updated (see for example the huge part of the HTML spec that deals with otherwise invalid HTML).
Now I am curious at whether these ZIP confusion attacks are mitigated at other registries that use ZIPs? Are there any such?
Apart from Python Wheels, the other popular ecosystems using zip files are Java jar files, and NuGet.
Of these Java is the most interesting as there a few JDKs commonly in use.
But I’m also interested in various security scanners that are built in other languages that can be fooled.
Does NPM not use zip files?
(Search results for `npm package format` are entirely not useful for figuring out what an NPM package actually consists of, beyond containing a `package.json` file. `pypi package format` results look wildly different; the first result I get is https://packaging.python.org/en/latest/discussions/package-f... which is quite comprehensive about the exact information I want — disregarding for a moment the fact that I already know this stuff ;) The NPM search results, for me, start with a Geeks4Geeks tutorial on creating a package. Is there even anything analogous to the Python Packaging Authority — misunderstood and not-actually-authoritative as it is — for NPM?)
npm and Cargo use gzipped tarballs.
Tar is an awful format that has multiple ways of specifying file names and file sizes, so there could be some shenanigans happening.
It's also possible to make archives have different content based on case-sensitivity of the file system.
Ah. Python source distributions are the same, so there may be additional considerations there. Though in general it doesn't seem like there's much concern in the Python ecosystem about that, considering that building them will run arbitrary code anyway....
Thank you for the interesting article.