CVE-2025-32800
BaseFortify
Publication date: 2025-06-16
Last updated on: 2025-08-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anaconda | conda-build | to 25.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1357 | The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to the execution of arbitrary malicious code on your system when installing conda-build or related packages via pip. An attacker exploiting this could compromise your environment, potentially leading to unauthorized access, data theft, or system damage.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade conda-build to version 25.3.0 or later. As a workaround, when installing the project from the repository using pip, use the --no-deps option to avoid installing dependencies that could be malicious.
Can you explain this vulnerability to me?
This vulnerability involves the conda-build tool, which prior to version 25.3.0 listed a Python dependency called conda-index in its pyproject.toml file. Since conda-index is not published on PyPI, an attacker could claim this package name and upload malicious code under it. When users run pip install commands, the malicious dependency could be injected and executed, potentially compromising the system. The issue was fixed in version 25.3.0, and a workaround is to use the --no-deps option when installing from the repository to avoid installing dependencies.