Search criteria
8 vulnerabilities by conda-forge
CVE-2025-49824 (GCVE-0-2025-49824)
Vulnerability from cvelistv5 – Published: 2025-06-17 20:40 – Updated: 2025-06-18 15:46
VLAI?
Title
conda-smithy Insecure Encryption Vulnerable to Oracle Padding Attack
Summary
conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.47.1, the travis_encrypt_binstar_token implementation in the conda-smithy package has been identified as vulnerable to an Oracle Padding Attack. This vulnerability results from the use of an outdated and insecure padding scheme during RSA encryption. A malicious actor with access to an oracle system can exploit this flaw by iteratively submitting modified ciphertexts and analyzing responses to infer the plaintext without possessing the private key. This issue has been patched in version 3.47.1.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| conda-forge | conda-smithy |
Affected:
< 3.47.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49824",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-18T15:46:11.132113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T15:46:26.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "conda-smithy",
"vendor": "conda-forge",
"versions": [
{
"status": "affected",
"version": "\u003c 3.47.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.47.1, the travis_encrypt_binstar_token implementation in the conda-smithy package has been identified as vulnerable to an Oracle Padding Attack. This vulnerability results from the use of an outdated and insecure padding scheme during RSA encryption. A malicious actor with access to an oracle system can exploit this flaw by iteratively submitting modified ciphertexts and analyzing responses to infer the plaintext without possessing the private key. This issue has been patched in version 3.47.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:40:02.477Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/conda-forge/conda-smithy/security/advisories/GHSA-2xf4-hg9q-m58q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/conda-forge/conda-smithy/security/advisories/GHSA-2xf4-hg9q-m58q"
},
{
"name": "https://github.com/conda-forge/conda-smithy/commit/24cc0a55a363479e797c825be3a7f2603ef374a1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda-forge/conda-smithy/commit/24cc0a55a363479e797c825be3a7f2603ef374a1"
},
{
"name": "https://github.com/conda-forge/conda-smithy/blob/46a06524eeeb7f59e0969c3967ce5f700643d322/conda_smithy/ci_register.py#L447",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda-forge/conda-smithy/blob/46a06524eeeb7f59e0969c3967ce5f700643d322/conda_smithy/ci_register.py#L447"
}
],
"source": {
"advisory": "GHSA-2xf4-hg9q-m58q",
"discovery": "UNKNOWN"
},
"title": "conda-smithy Insecure Encryption Vulnerable to Oracle Padding Attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49824",
"datePublished": "2025-06-17T20:40:02.477Z",
"dateReserved": "2025-06-11T14:33:57.798Z",
"dateUpdated": "2025-06-18T15:46:26.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49843 (GCVE-0-2025-49843)
Vulnerability from cvelistv5 – Published: 2025-06-17 20:39 – Updated: 2025-06-18 15:48
VLAI?
Title
conda-smithy Has Incorrect Default File Permissions
Summary
conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.47.1, the travis_headers function in the conda-smithy repository creates files with permissions exceeding 0o600, allowing read and write access beyond the intended user/owner. This violates the principle of least privilege, which mandates restricting file permissions to the minimum necessary. An attacker could exploit this to access configuration files in shared hosting environments. This issue has been patched in version 3.47.1.
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| conda-forge | conda-smithy |
Affected:
< 3.47.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-18T15:47:57.920540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T15:48:45.983Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "conda-smithy",
"vendor": "conda-forge",
"versions": [
{
"status": "affected",
"version": "\u003c 3.47.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.47.1, the travis_headers function in the conda-smithy repository creates files with permissions exceeding 0o600, allowing read and write access beyond the intended user/owner. This violates the principle of least privilege, which mandates restricting file permissions to the minimum necessary. An attacker could exploit this to access configuration files in shared hosting environments. This issue has been patched in version 3.47.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:39:52.569Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/conda-forge/conda-smithy/security/advisories/GHSA-h9v8-rrqg-3m95",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/conda-forge/conda-smithy/security/advisories/GHSA-h9v8-rrqg-3m95"
},
{
"name": "https://github.com/conda-forge/conda-smithy/commit/24cc0a55a363479e797c825be3a7f2603ef374a1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda-forge/conda-smithy/commit/24cc0a55a363479e797c825be3a7f2603ef374a1"
},
{
"name": "https://github.com/conda-forge/conda-smithy/blob/1dc21086a476f6aeb6c1bad8bf58474bf3a8f8f0/conda_smithy/ci_register.py#L109-L111",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda-forge/conda-smithy/blob/1dc21086a476f6aeb6c1bad8bf58474bf3a8f8f0/conda_smithy/ci_register.py#L109-L111"
}
],
"source": {
"advisory": "GHSA-h9v8-rrqg-3m95",
"discovery": "UNKNOWN"
},
"title": "conda-smithy Has Incorrect Default File Permissions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49843",
"datePublished": "2025-06-17T20:39:52.569Z",
"dateReserved": "2025-06-11T14:33:57.800Z",
"dateUpdated": "2025-06-18T15:48:45.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49842 (GCVE-0-2025-49842)
Vulnerability from cvelistv5 – Published: 2025-06-17 14:02 – Updated: 2025-06-17 18:15
VLAI?
Title
conda-forge-webservices Privilege Escalation Risk via Default Docker Root User
Summary
conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. Prior to version 2025.3.24, the conda_forge_webservice Docker container executes commands without specifying a user. By default, Docker containers run as the root user, which increases the risk of privilege escalation and host compromise if a vulnerability is exploited. This issue has been patched in version 2025.3.24.
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| conda-forge | conda-forge-webservices |
Affected:
< 2025.3.24
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49842",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T14:16:50.613240Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T18:15:47.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "conda-forge-webservices",
"vendor": "conda-forge",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.3.24"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. Prior to version 2025.3.24, the conda_forge_webservice Docker container executes commands without specifying a user. By default, Docker containers run as the root user, which increases the risk of privilege escalation and host compromise if a vulnerability is exploited. This issue has been patched in version 2025.3.24."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T14:02:37.266Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/conda-forge/conda-forge-webservices/security/advisories/GHSA-3cj6-wc22-wvpv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/conda-forge/conda-forge-webservices/security/advisories/GHSA-3cj6-wc22-wvpv"
},
{
"name": "https://github.com/conda-forge/conda-forge-webservices/commit/c28b67f833f32299cc47eef8ad226ca991db67ae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda-forge/conda-forge-webservices/commit/c28b67f833f32299cc47eef8ad226ca991db67ae"
}
],
"source": {
"advisory": "GHSA-3cj6-wc22-wvpv",
"discovery": "UNKNOWN"
},
"title": "conda-forge-webservices Privilege Escalation Risk via Default Docker Root User"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49842",
"datePublished": "2025-06-17T14:02:37.266Z",
"dateReserved": "2025-06-11T14:33:57.800Z",
"dateUpdated": "2025-06-17T18:15:47.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49598 (GCVE-0-2025-49598)
Vulnerability from cvelistv5 – Published: 2025-06-13 20:22 – Updated: 2025-06-13 20:33
VLAI?
Title
conda-forge-ci-setup Allows Arbitrary Code Execution via Insecure Version Parsing
Summary
conda-forge-ci-setup is a package installed by conda-forge each time a build is run on CI. The conda-forge-ci-setup-feedstock setup script is vulnerable due to the unsafe use of the eval function when parsing version information from a custom-formatted meta.yaml file. An attacker controlling meta.yaml can inject malicious code into the version assignment, which is executed during file processing, leading to arbitrary code execution. Exploitation requires an attacker to modify the recipe file by manipulating the RECIPE_DIR variable and introducing a malicious meta.yaml file. While this is more feasible in CI/CD pipelines, it is uncommon in typical environments, reducing overall risk. This vulnerability is fixed in 4.15.0.
Severity ?
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| conda-forge | conda-forge-ci-setup-feedstock |
Affected:
< 4.15.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49598",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T20:33:22.623020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T20:33:39.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/conda-forge/conda-forge-ci-setup-feedstock/security/advisories/GHSA-jh2q-mrmj-hff3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "conda-forge-ci-setup-feedstock",
"vendor": "conda-forge",
"versions": [
{
"status": "affected",
"version": "\u003c 4.15.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "conda-forge-ci-setup is a package installed by conda-forge each time a build is run on CI. The conda-forge-ci-setup-feedstock setup script is vulnerable due to the unsafe use of the eval function when parsing version information from a custom-formatted meta.yaml file. An attacker controlling meta.yaml can inject malicious code into the version assignment, which is executed during file processing, leading to arbitrary code execution. Exploitation requires an attacker to modify the recipe file by manipulating the RECIPE_DIR variable and introducing a malicious meta.yaml file. While this is more feasible in CI/CD pipelines, it is uncommon in typical environments, reducing overall risk. This vulnerability is fixed in 4.15.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T20:22:37.600Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/conda-forge/conda-forge-ci-setup-feedstock/security/advisories/GHSA-jh2q-mrmj-hff3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/conda-forge/conda-forge-ci-setup-feedstock/security/advisories/GHSA-jh2q-mrmj-hff3"
},
{
"name": "https://github.com/conda-forge/conda-forge-ci-setup-feedstock/commit/fd91cb271c01f0e7928ebdc1feaac96fe385f959",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda-forge/conda-forge-ci-setup-feedstock/commit/fd91cb271c01f0e7928ebdc1feaac96fe385f959"
}
],
"source": {
"advisory": "GHSA-jh2q-mrmj-hff3",
"discovery": "UNKNOWN"
},
"title": "conda-forge-ci-setup Allows Arbitrary Code Execution via Insecure Version Parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49598",
"datePublished": "2025-06-13T20:22:37.600Z",
"dateReserved": "2025-06-06T15:44:21.557Z",
"dateUpdated": "2025-06-13T20:33:39.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-35471 (GCVE-0-2025-35471)
Vulnerability from cvelistv5 – Published: 2025-05-13 01:13 – Updated: 2025-05-22 19:32
VLAI?
Title
conda-forge openssl-feedstock writable OPENSSLDIR
Summary
conda-forge openssl-feedstock before 066e83c (2024-05-20), on Microsoft Windows, configures OpenSSL to use an OPENSSLDIR file path that can be written to by non-privilged local users. By writing a specially crafted openssl.cnf file in OPENSSLDIR, a non-privileged local user can execute arbitrary code with the privileges of the user or process loading openssl-feedstock DLLs. Miniforge before 24.5.0 is also affected.
Severity ?
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| conda-forge | openssl-feedstock |
Affected:
0 , < 066e83c
(git)
Unaffected: 066e83c |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-35471",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T19:32:29.175073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T19:32:45.353Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "openssl-feedstock",
"vendor": "conda-forge",
"versions": [
{
"lessThan": "066e83c",
"status": "affected",
"version": "0",
"versionType": "git"
},
{
"status": "unaffected",
"version": "066e83c"
}
]
},
{
"defaultStatus": "unknown",
"product": "miniforge",
"vendor": "conda-forge",
"versions": [
{
"lessThan": "24.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "24.5.0"
}
]
}
],
"datePublic": "2024-05-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "conda-forge openssl-feedstock before 066e83c (2024-05-20), on Microsoft Windows, configures OpenSSL to use an OPENSSLDIR file path that can be written to by non-privilged local users. By writing a specially crafted openssl.cnf file in OPENSSLDIR, a non-privileged local user can execute arbitrary code with the privileges of the user or process loading openssl-feedstock DLLs. Miniforge before 24.5.0 is also affected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
},
{
"other": {
"content": {
"id": "CVE-2025-35471",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T16:29:52.839531Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T13:08:25.251Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"name": "url",
"url": "https://github.com/conda-forge/openssl-feedstock/commit/066e83c5226bafe90a9c0575b077ce30cd5f5921"
},
{
"name": "url",
"url": "https://github.com/conda-forge/openssl-feedstock/issues/201"
}
],
"title": "conda-forge openssl-feedstock writable OPENSSLDIR"
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2025-35471",
"datePublished": "2025-05-13T01:13:14.639Z",
"dateReserved": "2025-04-15T20:57:14.283Z",
"dateUpdated": "2025-05-22T19:32:45.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32784 (GCVE-0-2025-32784)
Vulnerability from cvelistv5 – Published: 2025-04-15 21:56 – Updated: 2025-04-17 14:25
VLAI?
Title
conda-forge-webservices has an Unauthorized Artifact Modification Race Condition
Summary
conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. In versions prior to 2025.4.10, a race condition vulnerability has been identified in the conda-forge-webservices component used within the shared build infrastructure. This vulnerability, categorized as a Time-of-Check to Time-of-Use (TOCTOU) issue, can be exploited to introduce unauthorized modifications to build artifacts stored in the cf-staging Anaconda channel. Exploitation may result in the unauthorized publication of malicious artifacts to the production conda-forge channel. The core vulnerability results from the absence of atomicity between the hash validation and the artifact copy operation. This gap allows an attacker, with access to the cf-staging token, to overwrite the validated artifact with a malicious version immediately after hash verification, but before the copy action is executed. As the cf-staging channel permits artifact overwrites, such an operation can be carried out using the anaconda upload --force command. This vulnerability is fixed in 2025.4.10.
Severity ?
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| conda-forge | conda-forge-webservices |
Affected:
< 2025.4.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32784",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T14:24:58.971374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T14:25:10.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "conda-forge-webservices",
"vendor": "conda-forge",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.4.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. In versions prior to 2025.4.10, a race condition vulnerability has been identified in the conda-forge-webservices component used within the shared build infrastructure. This vulnerability, categorized as a Time-of-Check to Time-of-Use (TOCTOU) issue, can be exploited to introduce unauthorized modifications to build artifacts stored in the cf-staging Anaconda channel. Exploitation may result in the unauthorized publication of malicious artifacts to the production conda-forge channel. The core vulnerability results from the absence of atomicity between the hash validation and the artifact copy operation. This gap allows an attacker, with access to the cf-staging token, to overwrite the validated artifact with a malicious version immediately after hash verification, but before the copy action is executed. As the cf-staging channel permits artifact overwrites, such an operation can be carried out using the anaconda upload --force command. This vulnerability is fixed in 2025.4.10."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T21:56:27.639Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/conda-forge/conda-forge-webservices/security/advisories/GHSA-28cx-74fp-g2g2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/conda-forge/conda-forge-webservices/security/advisories/GHSA-28cx-74fp-g2g2"
},
{
"name": "https://github.com/conda-forge/conda-forge-webservices/commit/141ed27617068debd150956341551df3a5a3807d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda-forge/conda-forge-webservices/commit/141ed27617068debd150956341551df3a5a3807d"
}
],
"source": {
"advisory": "GHSA-28cx-74fp-g2g2",
"discovery": "UNKNOWN"
},
"title": "conda-forge-webservices has an Unauthorized Artifact Modification Race Condition"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32784",
"datePublished": "2025-04-15T21:56:27.639Z",
"dateReserved": "2025-04-10T12:51:12.279Z",
"dateUpdated": "2025-04-17T14:25:10.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31484 (GCVE-0-2025-31484)
Vulnerability from cvelistv5 – Published: 2025-04-02 21:38 – Updated: 2025-04-03 19:38
VLAI?
Title
conda-forge infrastructure uses a bad token for Azure's cf-staging access
Summary
conda-forge infrastructure holds common configurations and settings for key pieces of the conda-forge infrastructure.
Between 2025-02-10 and 2025-04-01, conda-forge infrastructure used the wrong token for Azure's cf-staging access. This bug meant that any feedstock maintainer could upload a package to the conda-forge channel, bypassing our feedstock-token + upload process. The security logs on anaconda.org were check for any packages that were not copied from the cf-staging to the conda-forge channel and none were found.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| conda-forge | infrastructure |
Affected:
>= 2025-02-10, <= 2025-04-01
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31484",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T19:35:06.236135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T19:38:18.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "infrastructure",
"vendor": "conda-forge",
"versions": [
{
"status": "affected",
"version": "\u003e= 2025-02-10, \u003c= 2025-04-01"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "conda-forge infrastructure holds common configurations and settings for key pieces of the conda-forge infrastructure.\nBetween 2025-02-10 and 2025-04-01, conda-forge infrastructure used the wrong token for Azure\u0027s cf-staging access. This bug meant that any feedstock maintainer could upload a package to the conda-forge channel, bypassing our feedstock-token + upload process. The security logs on anaconda.org were check for any packages that were not copied from the cf-staging to the conda-forge channel and none were found."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-02T21:38:03.493Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/conda-forge/infrastructure/security/advisories/GHSA-m4h2-49xf-vq72",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/conda-forge/infrastructure/security/advisories/GHSA-m4h2-49xf-vq72"
},
{
"name": "https://github.com/conda-forge/infrastructure/commit/70f3f09e64968d5f0a7b0525846f17cad42dd052",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda-forge/infrastructure/commit/70f3f09e64968d5f0a7b0525846f17cad42dd052"
}
],
"source": {
"advisory": "GHSA-m4h2-49xf-vq72",
"discovery": "UNKNOWN"
},
"title": "conda-forge infrastructure uses a bad token for Azure\u0027s cf-staging access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31484",
"datePublished": "2025-04-02T21:38:03.493Z",
"dateReserved": "2025-03-28T13:36:51.297Z",
"dateUpdated": "2025-04-03T19:38:18.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27510 (GCVE-0-2025-27510)
Vulnerability from cvelistv5 – Published: 2025-03-04 21:48 – Updated: 2025-03-05 16:37
VLAI?
Title
RCE in the package conda-forge-metadata
Summary
conda-forge-metadata provides programatic access to conda-forge's metadata. conda-forge-metadata uses an optional dependency - "conda-oci-mirror" which was neither present on the PyPi repository nor registered by any entity. If conda-oci-mirror is taken over by a threat actor, it can result in remote code execution.
Severity ?
CWE
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| conda-forge | conda-forge-metadata |
Affected:
<= 0.4.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27510",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T16:37:27.676304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T16:37:33.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/conda-forge/conda-forge-metadata/security/advisories/GHSA-vwfh-m3q7-9jpw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "conda-forge-metadata",
"vendor": "conda-forge",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "conda-forge-metadata provides programatic access to conda-forge\u0027s metadata. conda-forge-metadata uses an optional dependency - \"conda-oci-mirror\" which was neither present on the PyPi repository nor registered by any entity. If conda-oci-mirror is taken over by a threat actor, it can result in remote code execution."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T21:48:12.688Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/conda-forge/conda-forge-metadata/security/advisories/GHSA-vwfh-m3q7-9jpw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/conda-forge/conda-forge-metadata/security/advisories/GHSA-vwfh-m3q7-9jpw"
},
{
"name": "https://github.com/conda-forge/conda-forge-metadata/blob/799aee36b21ee06289d73d57838b28201f5a57af/pyproject.toml#L28",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda-forge/conda-forge-metadata/blob/799aee36b21ee06289d73d57838b28201f5a57af/pyproject.toml#L28"
}
],
"source": {
"advisory": "GHSA-vwfh-m3q7-9jpw",
"discovery": "UNKNOWN"
},
"title": "RCE in the package conda-forge-metadata"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27510",
"datePublished": "2025-03-04T21:48:12.688Z",
"dateReserved": "2025-02-26T18:11:52.306Z",
"dateUpdated": "2025-03-05T16:37:33.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}