Arbitrary Code Execution Vulnerability in Conda-build by Anaconda
CVE-2025-32797

6MEDIUM

Key Information:

Vendor

Conda

Status
Conda-build
Vendor
CVE Published:
16 June 2025

What is CVE-2025-32797?

The conda-build tool from Anaconda is susceptible to a serious vulnerability stemming from its write_build_scripts function. Versions prior to 25.3.1 create a temporary build script (conda_build.sh) with excessively permissive file permissions (0o766). This flaw enables unauthorized users with filesystem access to exploit a critical race condition, allowing them to overwrite the script before it is executed. Consequently, this can lead to arbitrary code execution under the privileges of the target user. Such risks are considerably elevated in shared environments, potentially resulting in complete system compromise. Attackers may utilize various techniques to monitor filesystem changes and exploit the brief period when the script is vulnerable to overwriting. Affected users are strongly advised to upgrade to version 25.3.1 or later, implement tighter permissions (0o700), and utilize atomic file creation methods to enhance security.

Affected Version(s)

conda-build < 25.3.1

References

https://github.com/conda/conda-build/security/advisories/...
x_refsource_CONFIRM
https://github.com/conda/conda-build/pull/5
x_refsource_MISC
https://github.com/conda/conda-build/commit/d246e49c8f45e...
x_refsource_MISC

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-32797 : Arbitrary Code Execution Vulnerability in Conda-build by Anaconda