astral-sh/uv

Scanned on Jun 23, 2026

Risk score/ 100

Moderate risk

Summary

The repository uses MD5 hashing in its extraction module (crates/uv-extract/src/hash.rs), which is cryptographically broken and vulnerable to collision attacks. While MD5 is used for file integrity verification rather than security-critical authentication, this represents a moderate risk as attackers could potentially craft malicious packages with matching MD5 checksums. The impact is contained to package integrity verification workflows, not authentication or encryption.

Critical

High

Medium

Low

Top findings

CriticalMD5
crates/uv-extract/src/hash.rs:21
SHA3-256 or SHA-256
Raw evidence
```
Self::Md5(hasher) => hasher.update(data),
```
CriticalMD5
crates/uv-extract/src/hash.rs:33
SHA3-256 or SHA-256
Raw evidence
```
HashAlgorithm::Md5 => Self::Md5(md5::Md5::new()),
```
CriticalMD5
crates/uv-extract/src/hash.rs:45
SHA3-256 or SHA-256
Raw evidence
```
Hasher::Md5(hasher) => Self {
```
CriticalMD5
crates/uv-extract/src/hash.rs:46
SHA3-256 or SHA-256
Raw evidence
```
algorithm: HashAlgorithm::Md5,
```
CriticalMD5
crates/uv-extract/src/hash.rs:11
SHA3-256 or SHA-256
Raw evidence
```
Md5(md5::Md5),
```

Scan your own repository

Free. Results in ~90 seconds. CBOM + DORA/NIS2 PDF included.

Start a free scan