Relatório público de scanRepositório
astral-sh/uv
Escaneado em 23 de jun. de 2026
Risk score/ 100
Risco moderado
Resumo
The repository uses MD5 hashing in its extraction module (crates/uv-extract/src/hash.rs), which is cryptographically broken and vulnerable to collision attacks. While MD5 is used for file integrity verification rather than security-critical authentication, this represents a moderate risk as attackers could potentially craft malicious packages with matching MD5 checksums. The impact is contained to package integrity verification workflows, not authentication or encryption.
5
0
0
0
Principais findings
- CríticoMD5
crates/uv-extract/src/hash.rs:21
SHA3-256 or SHA-256
Evidência
Self::Md5(hasher) => hasher.update(data), - CríticoMD5
crates/uv-extract/src/hash.rs:33
SHA3-256 or SHA-256
Evidência
HashAlgorithm::Md5 => Self::Md5(md5::Md5::new()), - CríticoMD5
crates/uv-extract/src/hash.rs:45
SHA3-256 or SHA-256
Evidência
Hasher::Md5(hasher) => Self { - CríticoMD5
crates/uv-extract/src/hash.rs:46
SHA3-256 or SHA-256
Evidência
algorithm: HashAlgorithm::Md5, - CríticoMD5
crates/uv-extract/src/hash.rs:11
SHA3-256 or SHA-256
Evidência
Md5(md5::Md5),
Escaneie seu próprio repositório
Grátis. Resultados em ~90 segundos. CBOM + PDF DORA/NIS2 inclusos.