Arbitrary Code Execution Vulnerability in conda-forge CI Setup Tool
CVE-2025-49598

4.4MEDIUM

Key Information:

Vendor: Conda-forge
Status: Conda-forge-ci-setup-feedstock
Vendor: CVE Published:; 13 June 2025

🔔 Create Conda-forge Vulnerability Alert

What is CVE-2025-49598?

The conda-forge CI setup tool contains a vulnerability arising from the unsafe utilization of the eval function, enabling an attacker with control over a custom meta.yaml file to inject malicious code. This issue is primarily relevant within CI/CD environments, where an attacker can alter the RECIPE_DIR variable and deliver a compromised recipe. The vulnerability has been addressed in version 4.15.0, reinforcing the security of the tool against such exploits.

Affected Version(s)

conda-forge-ci-setup-feedstock < 4.15.0

References

https://github.com/conda-forge/conda-forge-ci-setup-feeds...

x_refsource_CONFIRM

https://github.com/conda-forge/conda-forge-ci-setup-feeds...

x_refsource_MISC

CVSS V4

Score:

4.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 13, 2025
Vulnerability Reserved
Jun 6, 2025