CVE-2025-32798
published 2025-06-16CVE-2025-32798: Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build recipe processing logic has been found to be…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.69%
48.3th percentile
Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build recipe processing logic has been found to be vulnerable to arbitrary code execution due to unsafe evaluation of recipe selectors. Currently, conda-build uses the eval function to process embedded selectors in meta.yaml files. This approach evaluates user-defined expressions without proper sanitization, which allows arbitrary code to be executed during the build process. As a result, the integrity of the build environment is compromised, and unauthorized commands or file operations may be performed. The vulnerability stems from the inherent risk of using eval() on untrusted input in a context intended to control dynamic build configurations. By directly interpreting selector expressions, conda-build creates a potential execution pathway for malicious code, violating security assumptions. This issue has been patched in version 25.4.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anaconda | conda-build | < 25.4.0 | 25.4.0 |
| conda | conda-build | < 25.4.0 | 25.4.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77ee5/conda_build/metadata.pyhttps://github.com/conda/conda-build/commit/3d87213b840774a24ab1733664d2b36664233754https://github.com/conda/conda-build/security/advisories/GHSA-6cc8-c3c9-3rgrhttps://github.com/conda/conda-build/security/advisories/GHSA-6cc8-c3c9-3rgr
2025-06-16
Published