Conda Conda-Build vulnerabilities
4 known vulnerabilities affecting conda/conda-build.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH1
Vulnerabilities
Page 1 of 1
CVE-2025-32798P2CRITICALCVSS 9.8fixed in 25.4.02025-06-16
CVE-2025-32798 [CRITICAL] CWE-94 CVE-2025-32798: Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-
Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build recipe processing logic has been found to be vulnerable to arbitrary code execution due to unsafe evaluation of recipe selectors. Currently, conda-build uses the eval function to process embedded selectors in meta.yaml files. This approach eval
nvd
CVE-2025-32799P2CRITICALCVSS 9.8fixed in 25.4.02025-06-16
CVE-2025-32799 [CRITICAL] CWE-22 CVE-2025-32799: Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-
Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal (Tarslip) attacks due to improper sanitization of tar entry paths. Attackers can craft tar archives containing entries with directory traversal sequences to write files outside the intended extra
nvd
CVE-2025-32800P3CRITICALCVSS 9.8fixed in 25.3.02025-06-16
CVE-2025-32800 [CRITICAL] CWE-1357 CVE-2025-32800: Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproj
Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the package, and then exploit pip install commands by injecting the malicious
nvd
CVE-2025-32797P3HIGHCVSS 7.0fixed in 25.3.12025-06-16
CVE-2025-32797 [HIGH] CWE-277 CVE-2025-32797: Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, the write_
Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, the write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users. Attackers with filesystem access can exploit a race condition to overwrite the s
nvd