Security Flaw in Conda-Build Affects Package Dependency Management
CVE-2025-32800

7.2HIGH

Key Information:

Vendor

Conda

Status
Conda-build
Vendor
CVE Published:
16 June 2025

What is CVE-2025-32800?

Conda-Build, a tool utilized for building conda packages, was vulnerable to a namespace takeover due to its dependency on the unlisted 'conda-index' package prior to version 25.3.0. An attacker could exploit this vulnerability by claiming the namespace for 'conda-index' and injecting malicious code into package installations through pip commands. This security risk has been addressed in version 25.3.0, with a recommended workaround to use '--no-deps' when installing projects directly from the repository.

Affected Version(s)

conda-build < 25.3.0

References

https://github.com/conda/conda-build/security/advisories/...
x_refsource_CONFIRM
https://github.com/conda/conda-build/commit/f5a6aeef0d5d6...
x_refsource_MISC
https://drive.google.com/file/d/18qe97zxcpTn2l84187A9meGC...
x_refsource_MISC

CVSS V4

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-32800 : Security Flaw in Conda-Build Affects Package Dependency Management