CVE-2025-32797
BaseFortify
Publication date: 2025-06-16
Last updated on: 2025-08-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anaconda | conda-build | to 25.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-277 | A product defines a set of insecure permissions that are inherited by objects that are created by the program. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-32797 is a vulnerability in the conda-build package where a temporary build script named conda_build.sh is created with overly permissive file permissions (0o766), allowing all users to write to it. Attackers with local filesystem access can exploit a race condition by overwriting this script before it is executed, enabling arbitrary code execution with the victim's privileges. This is especially risky in shared environments where attackers can monitor directories for file creation and quickly overwrite the script within milliseconds. The vulnerability has been fixed in conda-build version 25.3.1 by restricting file permissions to 0o700 and using atomic file creation to reduce the race condition window. [1]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution under the privileges of the user running conda-build. In shared or multi-user environments, an attacker with local access can exploit the race condition to overwrite the build script and execute malicious code, potentially escalating privileges and compromising the entire system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the creation of the temporary build script `conda_build.sh` with overly permissive permissions (0o766) in shared or multi-user environments. Tools like inotify can be used to watch parent directories (e.g., ~/conda-bld) for file creation events to detect suspicious activity. Checking the permissions of `conda_build.sh` files during build processes can also help identify vulnerable instances. For example, using the command `ls -l conda_build.sh` in build directories to verify if the permissions are set to 766 (rw-rw-rw-) instead of the secure 700 (rwx------). Additionally, using `inotifywait` to monitor directory events can help detect rapid file creation and modification indicative of exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading conda-build to version 25.3.1 or later, where the vulnerability is patched. The patch restricts the permissions of `conda_build.sh` to 0o700 (owner-only read/write/execute) and implements atomic file creation to minimize the race condition window. As a workaround before upgrading, manually restrict the permissions of `conda_build.sh` from 0o766 to 0o700 to prevent write access by other users. Additionally, ensure that build scripts are created atomically by writing to a temporary randomized filename and then renaming it atomically to reduce the risk of race condition exploitation. [1, 2]