Privilege Escalation Vulnerability in conda-forge Web Services by conda-forge
CVE-2025-49842

1LOW

Key Information:

Vendor: Conda-forge
Status: Conda-forge-webservices
Vendor: CVE Published:; 17 June 2025

🔔 Create Conda-forge Vulnerability Alert

What is CVE-2025-49842?

The conda-forge web services application, used for executing conda-forge admin commands and linting, previously allowed command execution without specifying a user in its Docker container. This behavior meant that commands were executed as the root user by default, leading to potential privilege escalation and heightened security risks. If exploited, attackers could leverage this vulnerability to gain unauthorized access to host systems. This issue has been addressed and patched in version 2025.3.24, enhancing the security posture of the application.

Affected Version(s)

conda-forge-webservices < 2025.3.24

References

https://github.com/conda-forge/conda-forge-webservices/se...

x_refsource_CONFIRM

https://github.com/conda-forge/conda-forge-webservices/co...

x_refsource_MISC

CVSS V4

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2025
Vulnerability Reserved
Jun 11, 2025