CVE-2025-49842
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-17

Last updated on: 2025-06-17

Assigner: GitHub, Inc.

Description
conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. Prior to version 2025.3.24, the conda_forge_webservice Docker container executes commands without specifying a user. By default, Docker containers run as the root user, which increases the risk of privilege escalation and host compromise if a vulnerability is exploited. This issue has been patched in version 2025.3.24.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-17
Last Modified
2025-06-17
Generated
2026-05-07
AI Q&A
2025-06-17
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49842
EUVD
EUVD-2025-28316
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs because the conda-forge-webservices Docker container runs commands as the root user by default, since it does not specify a non-root user. Running as root inside a container increases the risk that if an attacker exploits any other vulnerability, they could escalate privileges and potentially compromise the host system. This issue was fixed by modifying the Docker container to run as a dedicated non-root user named 'conda'. [1, 2]


How can this vulnerability impact me? :

If exploited, this vulnerability could allow an attacker to escalate privileges within the container and potentially compromise the host system running the container. This could lead to unauthorized access, data breaches, or control over the host environment. However, the severity is classified as low, and some environments like Heroku are not affected because they do not run containers as root. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking if the conda-forge-webservices Docker container is running as the root user. Use the command `docker ps` to list running containers, then `docker exec -it <container_id> whoami` to see the user inside the container. If the output is 'root', the container is vulnerable. Additionally, inspect the Dockerfile or container configuration to verify if a non-root user is specified with the USER directive. [2, 1]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, upgrade the conda-forge-webservices Docker container to version 2025.3.24 or later, where the container runs as a non-root user named 'conda'. If upgrading is not possible, manually create a dedicated non-root user with limited permissions inside the container and configure the container to run as that user by specifying the USER directive in the Dockerfile or container runtime configuration. This reduces the risk of privilege escalation and host compromise. [2, 1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart