CVE-2025-49823
BaseFortify
Publication date: 2025-06-17
Last updated on: 2025-06-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the conda constructor tool's shell installer scripts prior to version 3.11.3. The installer processes the installation prefix (user_prefix) using an eval statement, which executes unsanitized user input as shell code. This allows an attacker to inject arbitrary commands through a malicious installation path during installation. Exploitation requires explicit user action, such as manually entering a crafted malicious path. The vulnerability was fixed by replacing the unsafe eval usage with a safer function that expands user input without executing it as code. [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to execute arbitrary shell commands with the privileges of the user running the installer. However, the script runs with user-level privileges (not root), and exploitation requires explicit user interaction by entering a malicious installation path. The CVSS score is low (0.0), indicating limited impact, with no effect on confidentiality, integrity, or availability. The main risk is arbitrary code execution at the user level during installation. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to the use of an unsafe eval statement in the conda constructor shell installer scripts prior to version 3.11.3. Detection involves checking the version of the conda constructor installed on your system. You can detect vulnerable versions by running a command to check the installed version, for example: `constructor --version` or inspecting the installer script for the presence of the unsafe eval usage. There are no specific network detection commands since exploitation requires explicit user interaction and local execution. Additionally, you can search installer scripts for the use of `eval` on user input, e.g., `grep -n 'eval.*user_prefix' <installer_script>`. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the conda constructor package to version 3.11.3 or later, where the vulnerability has been patched by removing the unsafe eval usage. Avoid entering or using untrusted or malicious installation prefixes during installation. Since no workaround exists other than avoiding malicious paths, upgrading is the recommended action. [1, 2]