CVE-2025-64343
HIGHDescription
(conda) Constructor is a tool that enables users to create installers for conda package collections. In versions 3.12.2 and below, the installation directory inherits permissions from its parent directory. Outside of restricted directories, the permissions are very permissive and often allow write access by authenticated users. Any logged in user can make modifications during the installation for both single-user and all-user installations. This constitutes a local attack vector if the installation is in a directory local users have access to. For single-user installations in a shared directory, these permissions persist after the installation. This issue is fixed in version 3.13.0.
Is your site exposed to CVE-2025-64343?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2025-64343? +
How severe is CVE-2025-64343? +
How do I check if I'm vulnerable to CVE-2025-64343? +
Related Vulnerabilities
When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause …
DataEase is an open source data visualization analysis tool. Prior to 2.10.4, there is a flaw in the authentication in …
The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This …
The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, …
Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if …
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows …