OpenSSL Configuration Vulnerability in conda-forge on Microsoft Windows
CVE-2025-35471

7HIGH

Key Information:

Vendor: Conda-forge
Status: OpenSSL-feedstock; Miniforge
Vendor: CVE Published:; 13 May 2025

🔔 Create Conda-forge Vulnerability Alert

What is CVE-2025-35471?

The conda-forge openssl-feedstock prior to version 066e83c on Microsoft Windows is susceptible to an improper configuration vulnerability. This flaw allows non-privileged local users to modify the OPENSSLDIR file path, leading to the potential execution of arbitrary code. By crafting a malicious openssl.cnf file within this directory, attackers can escalate their actions to execute code with the privileges of the user or process loading the affected DLLs. Users of impacted versions, including Miniforge before 24.5.0, should take immediate measures to update their installations and mitigate the risk.

Affected Version(s)

miniforge 0 < 24.5.0

openssl-feedstock 0 < 066e83c

miniforge 24.5.0

References

https://github.com/conda-forge/openssl-feedstock/commit/0...

https://github.com/conda-forge/openssl-feedstock/issues/201

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2025
Vulnerability Reserved
Apr 15, 2025

JSON