Path Traversal Vulnerability in Conda-build by Anaconda, Inc.
CVE-2025-32799

5.6MEDIUM

Key Information:

Vendor

Conda

Status
Conda-build
Vendor
CVE Published:
16 June 2025

What is CVE-2025-32799?

Conda-build, a tool for building conda packages developed by Anaconda, Inc., is subject to a path traversal vulnerability due to improper sanitization of tar entry paths. This vulnerability allows attackers to craft malicious tar archives containing directory traversal sequences. Consequently, this undermines the intended extraction directory, enabling unauthorized file writes, which could lead to arbitrary file overwrites, privilege escalation, or potential code execution targeting sensitive system locations. The issue has been rectified in version 25.4.0.

Affected Version(s)

conda-build < 25.4.0

References

https://github.com/conda/conda-build/security/advisories/...
x_refsource_CONFIRM
https://github.com/conda/conda-build/commit/bdf5e0022cec9...
x_refsource_MISC
https://github.com/conda/conda-build/blob/834448b995eee02...
x_refsource_MISC

CVSS V4

Score:
5.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-32799 : Path Traversal Vulnerability in Conda-build by Anaconda, Inc.