How to fix EUVD-2025-18458?

Within 24 hours: Identify all systems and development pipelines using conda-build versions prior to 25.3.0 and assess exposure. Within 7 days: Upgrade conda-build to version 25.3.0 or later across all development environments, build systems, and CI/CD pipelines. Verify no malicious conda-index packages were installed. Within 30 days: Conduct a security audit of package dependencies and supply chain controls; implement dependency pinning and verification mechanisms to prevent similar attacks.

Is Python affected by EUVD-2025-18458?

A critical vulnerability in conda-build (CVE-2025-32800) could allow attackers to inject malicious code through a compromised dependency during package installation.

EUVD-2025-18458

| CVE-2025-32800 CRITICAL

2025-06-16 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18458

Patch Released

Mar 14, 2026 - 21:59 nvd

Patch available

PoC Detected

Aug 01, 2025 - 22:10 vuln.today

Public exploit code

CVE Published

Jun 16, 2025 - 21:15 nvd

CRITICAL 9.8

Description

Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the package, and then exploit pip install commands by injecting the malicious dependency in the solve. This issue has been fixed in version 25.3.0. A workaround involves using --no-deps for pip install-ing the project from the repository.

Analysis

Conda-build versions prior to 25.3.0 are vulnerable to dependency confusion/namespace squatting attacks where an attacker can claim the unpublished 'conda-index' package on PyPI and inject malicious code that gets installed when users run pip install on conda-build projects. This is a critical supply-chain attack vector with CVSS 9.8 (CRITICAL) affecting all users who install conda-build from source or install projects that depend on it via pip, potentially compromising developer environments and CI/CD pipelines. The vulnerability is network-accessible, requires no privileges or user interaction, and provides complete system compromise (confidentiality, integrity, availability).

Technical Context

The vulnerability stems from CWE-1357 (Weak Dependency Resolution), a supply-chain attack class where packages declare dependencies that don't exist in the primary package repository. Conda-build's pyproject.toml explicitly lists 'conda-index' as a required Python dependency, but this package was never published to PyPI. When pip resolves dependencies during installation, it searches PyPI first; an attacker can register 'conda-index' on PyPI and upload arbitrary malicious code. The root cause is broken dependency management—the conda-build project depends on 'conda-index' which appears to be an internal/private package that should either be: (1) properly published and maintained, (2) vendored into conda-build, or (3) made optional. This affects conda-build CPE: cpe:2.3:a:conda:conda-build:*:*:*:*:*:*:*:* for versions < 25.3.0. The attack exploits the implicit trust users place in dependency resolution and the namespace sprawl of PyPI.

Affected Products

Product: Conda-build, Vendor: Conda (Anaconda Inc.), Affected Versions: All versions prior to 25.3.0 (CPE: cpe:2.3:a:conda:conda-build:*:*:*:*:*:*:*:* where version < 25.3.0). Specific known affected versions include at least 25.2.0 and earlier releases. Secondary impact affects any project with a pyproject.toml or setup.py that declares a dependency on conda-build < 25.3.0 (transitive dependency chain). Users installing conda-build via: (1) pip install conda-build (< 25.3.0), (2) pip install -e . in conda-build source directory (< 25.3.0), or (3) any tool that auto-installs conda-build as a build backend are at risk. The vulnerability does NOT affect users who install conda-build via conda package manager (conda install conda-build) as that uses a different resolver.

Remediation

Immediate actions: (1) Upgrade to conda-build >= 25.3.0 immediately (patch version 25.3.0 fixes the issue by removing or properly declaring the conda-index dependency). Run: pip install --upgrade conda-build>=25.3.0. (2) For users unable to patch immediately, apply the workaround: pip install --no-deps conda-build (installs without resolving transitive dependencies; requires manual installation of actual required dependencies). (3) Verify your environment: check installed package versions with pip show conda-build; if version < 25.3.0, prioritize upgrade. (4) For CI/CD pipelines: update dependency specifications (requirements.txt, pyproject.toml, setup.cfg) to enforce conda-build>=25.3.0 or use conda package manager instead of pip for conda-build installation. (5) Audit PyPI for any malicious 'conda-index' packages uploaded during the vulnerability window and report to PyPI abuse team. (6) Check pip/pip freeze logs and auditing tools for unexpected 'conda-index' package installations in your environment history.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +49

POC: +20

EUVD-2025-18458 vulnerability details – vuln.today

Back

EUVD-2025-18458

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-18458

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code