Skip to main content

Conda Build CVE-2025-32799

| EUVD-2025-18459 CRITICAL
Path Traversal (CWE-22)
2025-06-16 security-advisories@github.com
RCE Privilege Escalation Path Traversal Conda Build
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
EUVD ID Assigned
Mar 14, 2026 - 21:59 euvd
EUVD-2025-18459
Analysis Generated
Mar 14, 2026 - 21:59 vuln.today
Patch released
Mar 14, 2026 - 21:59 nvd
Patch available
PoC Detected
Jul 02, 2025 - 18:12 vuln.today
Public exploit code
CVE Published
Jun 16, 2025 - 21:15 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal (Tarslip) attacks due to improper sanitization of tar entry paths. Attackers can craft tar archives containing entries with directory traversal sequences to write files outside the intended extraction directory. This could lead to arbitrary file overwrites, privilege escalation, or code execution if sensitive locations are targeted. This issue has been patched in version 25.4.0.

AnalysisAI

Conda-build versions prior to 25.4.0 are vulnerable to path traversal (Tarslip) attacks that allow unauthenticated remote attackers to write arbitrary files outside intended extraction directories by crafting malicious tar archives with directory traversal sequences. This critical vulnerability (CVSS 9.8) affects all users and systems utilizing conda-build for package compilation, with potential for privilege escalation and code execution depending on target file locations and system permissions.

Technical ContextAI

Conda-build is a packaging tool used to construct conda packages from source code. The vulnerability exists in the tar archive extraction processing logic, which fails to properly sanitize or validate tar entry paths before extraction. This is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, 'Path Traversal') vulnerability, also known as a Tarslip attack. Affected CPE: cpe:2.3:a:anaconda:conda-build:*:*:*:*:*:*:*:* (versions < 25.4.0). The root cause stems from inadequate input validation on tar entry names containing sequences like '../' or absolute paths, which when processed by tar extraction functions without sanitization, write files to unintended locations in the filesystem hierarchy.

RemediationAI

  • action: immediate_patch; details: Upgrade conda-build to version 25.4.0 or later immediately. Execute: 'conda install conda-build=25.4.0' or 'pip install --upgrade conda-build>=25.4.0'.
  • action: temporary_mitigation; details: Until patched, restrict tar archive processing to trusted sources only. Implement air-gapped or network-isolated build environments. Disable automatic package fetching and require manual, source-verified tar archives.
  • action: validation; details: After upgrading, verify patch installation with 'conda-build --version' and confirm version output is >= 25.4.0. Re-run any previously built packages to ensure no compromised artifacts were generated.
  • action: monitoring; details: Monitor conda-build processes for unusual file write patterns outside build directories. Use file integrity monitoring (e.g., aide, osquery) on critical system directories (/etc, /usr/bin, /opt, /home) during build operations.

Share

CVE-2025-32799 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy