How to fix CVE-2025-32797?

Within 24 hours: Identify all systems running conda-build versions prior to 25.3.1 and isolate shared development environments from untrusted users if patching cannot be immediately deployed. Within 7 days: Apply vendor patch to upgrade conda-build to version 25.3.1 across all affected systems. Within 30 days: Conduct a security audit of build pipelines and artifacts created during the vulnerability window, review access logs for suspicious activity, and implement additional filesystem monitoring on build directories.

Is Conda Build affected by CVE-2025-32797?

CVE-2025-32797 affects conda-build users and poses a significant risk in shared computing environments where multiple users access the same system.

CVE-2025-32797

EUVD-2025-18461 HIGH

2025-06-16 [email protected]

7.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18461

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

Patch Released

Mar 14, 2026 - 21:59 nvd

Patch available

CVE Published

Jun 16, 2025 - 19:15 nvd

HIGH 7.0

Description

Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, the write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users. Attackers with filesystem access can exploit a race condition to overwrite the script before execution, enabling arbitrary code execution under the victim's privileges. This risk is significant in shared environments, potentially leading to full system compromise. Even with non-static directory names, attackers can monitor parent directories for file creation events. The brief window between script creation (with insecure permissions) and execution allows rapid overwrites. Directory names can also be inferred via timestamps or logs, and automation enables exploitation even with semi-randomized paths by acting within milliseconds of detection. This issue has been patched in version 25.3.1. A workaround involves restricting conda_build.sh permissions from 0o766 to 0o700 (owner-only read/write/execute). Additionally, use atomic file creation (write to a temporary randomized filename and rename atomically) to minimize the race condition window.

Analysis

A security vulnerability in Conda-build (CVSS 7.0). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Technical Context

Vulnerability type: remote code execution. CVSS 7.0 indicates high severity. Affects Conda-build.

Affected Products

['Conda-build']

Remediation

Apply the vendor-supplied patch immediately.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +35

POC: 0

CVE-2025-32797 vulnerability details – vuln.today

Back

CVE-2025-32797

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-32797

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code