CVE-2025-32800
CRITICALDescription
Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the package, and then exploit pip install commands by injecting the malicious dependency in the solve. This issue has been fixed in version 25.3.0. A workaround involves using --no-deps for pip install-ing the project from the repository.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| anaconda | conda-build |
References
Frequently Asked Questions
What is CVE-2025-32800? +
How severe is CVE-2025-32800? +
What products are affected by CVE-2025-32800? +
How do I check if I'm vulnerable to CVE-2025-32800? +
Related Vulnerabilities
SUBNET Solutions Inc. has identified vulnerabilities in third-party components used in PowerSYSTEM Server 2021 and Substation Server 2021.
SUBNET Solutions Inc. has identified vulnerabilities in third-party components used in PowerSYSTEM Center.
SUBNET Solutions Inc. has identified vulnerabilities in third-party components used in Substation Server.
Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build recipe processing logic has been …
Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to …
Anaconda3 macOS installers before 2024.06-1 contain a local privilege escalation vulnerability when installed outside the user's home directory. During installation, …