CVE-2025-32799

Medium CVSS: 5.6

Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal (Tarslip) attacks due to improper sanitization of tar entry paths. Attackers can craft tar archives containing entries with directory traversal sequences to write files outside the intended extraction directory. This could lead to arbitrary file overwrites, privilege escalation, or code execution if sensitive locations are targeted. This issue has been patched in version 25.4.0.

Vendor

Anaconda

Product

Conda-build

CWE

CWE-22

Yayın Tarihi

2025-06-16 21:15:23

Güncelleme

2025-07-02 18:12:39

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Conda-build MEDIUM Anaconda 2025

Referanslar

https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77ee5/conda_build/convert.py https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77ee5/conda_build/render.py https://github.com/conda/conda-build/commit/bdf5e0022cec9a0c1378cca3f2dc8c92b4834673 https://github.com/conda/conda-build/security/advisories/GHSA-h499-pxgj-qh5h https://github.com/conda/conda-build/security/advisories/GHSA-h499-pxgj-qh5h

Benzer Kayıtlar

Medium

CVE-2026-23528

Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, an…

High

CVE-2024-46060

Anaconda3 macOS installers before 2024.06-1 contain a local privilege escalation vulnerability when installed outside th…

High

CVE-2025-32800

Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda…

High

CVE-2025-32798

Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build recipe process…

Medium

CVE-2025-32797

Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, the write_build_scripts functi…