Skip to main content

EUVDEUVD-2025-18445

| CVE-2025-49823 NONE
Command Injection (CWE-77)
2025-06-17 security-advisories@github.com

Severity by source

GitHub Advisory
0.0 LOW
AV:P/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:N

CVSS VectorGitHub Advisory

CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:N
Attack Vector
Physical
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.11.3
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-18445
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
CVE Published
Jun 17, 2025 - 03:15 nvd
NONE

DescriptionGitHub Advisory

(conda) Constructor is a tool which allows constructing an installer for a collection of conda packages. Prior to version 3.11.3, shell installer scripts process the installation prefix (user_prefix) using an eval statement, which executes unsanitized user input as shell code. Although the script runs with user privileges (not root), an attacker could exploit this by injecting arbitrary commands through a malicious path during installation. Exploitation requires explicit user action. This issue has been patched in version 3.11.3.

Analysis

(conda) Constructor is a tool which allows constructing an installer for a collection of conda packages. Prior to version 3.11.3, shell installer scripts process the installation prefix (user_prefix) using an eval statement, which executes unsanitized user input as shell code. Although the script runs with user privileges (not root), an attacker could exploit this by injecting arbitrary commands through a malicious path during installation. Exploitation requires explicit user action. This issue has been patched in version 3.11.3.

Technical ContextAI

Command injection allows an attacker to execute arbitrary OS commands on the host system through a vulnerable application that passes user input to system shells.

RemediationAI

Avoid passing user input to system commands. Use language-specific APIs instead of shell commands. If unavoidable, use strict input validation and escaping.

Share

EUVD-2025-18445 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy