File Permission Flaw in conda-smithy Tool by conda-forge
CVE-2025-49843

2.7LOW

Key Information:

Vendor

Conda-forge

Status
Conda-smithy
Vendor
CVE Published:
17 June 2025

What is CVE-2025-49843?

The conda-smithy tool, designed to streamline the integration of conda recipes with CI services, has a vulnerability in its travis_headers function. Prior to version 3.47.1, this function erroneously enabled file permissions exceeding 0o600, allowing unauthorized read and write access. This breach undermines the principle of least privilege, potentially exposing sensitive configuration files in shared hosting environments to attackers. Users are strongly advised to update to version 3.47.1 to mitigate this risk.

Affected Version(s)

conda-smithy < 3.47.1

References

https://github.com/conda-forge/conda-smithy/security/advi...
x_refsource_CONFIRM
https://github.com/conda-forge/conda-smithy/commit/24cc0a...
x_refsource_MISC
https://github.com/conda-forge/conda-smithy/blob/1dc21086...
x_refsource_MISC

CVSS V4

Score:
2.7
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-49843 : File Permission Flaw in conda-smithy Tool by conda-forge