216.73.217.47

CVE-2025-32784

· Published 15/04/2025 22:15 · Modified 15/04/2025 22:15

Labels: CVE-2025-32784 2025-04-15CVE-2025-32784CWE-367[email protected]

Essential information

Published
15/04/2025 22:15
Modified
15/04/2025 22:15
Author
Creator
CVSS
7.5 HIGH (v3) 7.5 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. In versions prior to 2025.4.10, a race condition vulnerability has been identified in the conda-forge-webservices component used within the shared build infrastructure. This vulnerability, categorized as a Time-of-Check to Time-of-Use (TOCTOU) issue, can be exploited to introduce unauthorized modifications to build artifacts stored in the cf-staging Anaconda channel. Exploitation may result in the unauthorized publication of malicious artifacts to the production conda-forge channel. The core vulnerability results from the absence of atomicity between the hash validation and the artifact copy operation. This gap allows an attacker, with access to the cf-staging token, to overwrite the validated artifact with a malicious version immediately after hash verification, but before the copy action is executed. As the cf-staging channel permits artifact overwrites, such an operation can be carried out using the anaconda upload --force command. This vulnerability is fixed in 2025.4.10.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
conda-forge / conda-forge-webservices cpe:2.3:a:conda-forge:conda-forge-webservices:<2025.4.10:*:*:*:*:*:*:*

References