Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx