Approved changes feed: RSS · Atom

cpe:2.3:a:anaconda:conda-build:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorAnaconda (3b46250f-37c4-5689-8080-4097943a18fc)
ProductConda Build (39ee8c7f-0e1c-57d8-978e-92c6b36e174f)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-32800 vulnerable 2026-06-08 07:19:00.867400 Conda-build vulnerable to supply chain attack vector due to pyproject.toml referring to dependencies not present in PyPI
Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the package, and then exploit pip install commands by injecting the malicious dependency in the solve. This issue has been fixed in version 25.3.0. A workaround involves using --no-deps for pip install-ing the project from the repository.
Published: 2025-06-16T20:38:53.100Z
Updated: 2025-06-17T19:03:49.217Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-32799 vulnerable 2026-06-08 07:19:00.866900 Conda-build Vulnerable to Path Traversal via Malicious Tar File
Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal (Tarslip) attacks due to improper sanitization of tar entry paths. Attackers can craft tar archives containing entries with directory traversal sequences to write files outside the intended extraction directory. This could lead to arbitrary file overwrites, privilege escalation, or code execution if sensitive locations are targeted. This issue has been patched in version 25.4.0.
Published: 2025-06-16T20:23:02.645Z
Updated: 2025-06-17T18:10:29.876Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-32798 vulnerable 2026-06-08 07:19:00.866476 Conda-build Allows Arbitrary Code Execution via Malicious Recipe Selectors
Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build recipe processing logic has been found to be vulnerable to arbitrary code execution due to unsafe evaluation of recipe selectors. Currently, conda-build uses the eval function to process embedded selectors in meta.yaml files. This approach evaluates user-defined expressions without proper sanitization, which allows arbitrary code to be executed during the build process. As a result, the integrity of the build environment is compromised, and unauthorized commands or file operations may be performed. The vulnerability stems from the inherent risk of using eval() on untrusted input in a context intended to control dynamic build configurations. By directly interpreting selector expressions, conda-build creates a potential execution pathway for malicious code, violating security assumptions. This issue has been patched in version 25.4.0.
Published: 2025-06-16T20:10:06.902Z
Updated: 2025-06-17T18:11:27.848Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-32797 vulnerable 2026-06-08 07:19:00.865841 Conda-build Insecure Build Script Permissions Enabling Arbitrary Code Execution
Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, the write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users. Attackers with filesystem access can exploit a race condition to overwrite the script before execution, enabling arbitrary code execution under the victim's privileges. This risk is significant in shared environments, potentially leading to full system compromise. Even with non-static directory names, attackers can monitor parent directories for file creation events. The brief window between script creation (with insecure permissions) and execution allows rapid overwrites. Directory names can also be inferred via timestamps or logs, and automation enables exploitation even with semi-randomized paths by acting within milliseconds of detection. This issue has been patched in version 25.3.1. A workaround involves restricting conda_build.sh permissions from 0o766 to 0o700 (owner-only read/write/execute). Additionally, use atomic file creation (write to a temporary randomized filename and rename atomically) to minimize the race condition window.
Published: 2025-06-16T18:46:31.227Z
Updated: 2025-06-17T13:57:44.968Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.