EUVD-2025-18460
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Tags
Description
Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build recipe processing logic has been found to be vulnerable to arbitrary code execution due to unsafe evaluation of recipe selectors. Currently, conda-build uses the eval function to process embedded selectors in meta.yaml files. This approach evaluates user-defined expressions without proper sanitization, which allows arbitrary code to be executed during the build process. As a result, the integrity of the build environment is compromised, and unauthorized commands or file operations may be performed. The vulnerability stems from the inherent risk of using eval() on untrusted input in a context intended to control dynamic build configurations. By directly interpreting selector expressions, conda-build creates a potential execution pathway for malicious code, violating security assumptions. This issue has been patched in version 25.4.0.
Analysis
Critical arbitrary code execution vulnerability in conda-build prior to version 25.4.0, where unsafe eval() function usage on meta.yaml recipe selectors allows unauthenticated remote attackers to execute arbitrary code during the package build process with no required privileges or user interaction. This vulnerability affects all users and systems using vulnerable conda-build versions to process potentially malicious or compromised recipe files, with a CVSS score of 9.8 indicating critical severity across confidentiality, integrity, and availability impacts.
Technical Context
The vulnerability exists in conda-build's recipe processing logic, specifically in how it handles meta.yaml selector expressions. The meta.yaml file is a critical component of conda package recipes that defines build dependencies, version information, and platform-specific configurations. Conda-build uses the Python eval() function to dynamically interpret selector expressions embedded within these YAML files, which are intended to enable conditional build logic across different platforms and architectures. The root cause is CWE-94 (Improper Control of Generation of Code), where untrusted input from recipe files is directly evaluated as Python code without sanitization. This creates a direct execution pathway for arbitrary Python commands. The affected component is the conda-build recipe parser/evaluator (CPE likely: cpe:2.3:a:anaconda:conda-build:*:*:*:*:*:*:*:*), with all versions before 25.4.0 vulnerable to this code injection attack vector.
Affected Products
conda-build (All versions prior to 25.4.0)
Remediation
Upgrade conda-build to version 25.4.0 or later; command: conda install -c conda-forge conda-build>=25.4.0; priority: IMMEDIATE Workaround: If upgrade is not immediately possible, restrict processing of meta.yaml files to trusted sources only. Implement code review and validation of all recipe files before processing with conda-build.; priority: TEMPORARY Detection: Audit build environment logs for suspicious Python code execution patterns in meta.yaml selector processing. Search for unexpected eval() calls or suspicious imports in recipe files.; priority: CONCURRENT Preventive: Implement sandboxing or containerization of conda-build execution to limit blast radius if malicious code is executed. Restrict build environment network access and filesystem permissions.; priority: RECOMMENDED
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today