Local File Permission Vulnerability in Constructor by conda
CVE-2025-64343

7.8HIGH

Key Information:

Vendor

Conda

Status
Constructor
Vendor
CVE Published:
7 November 2025

What is CVE-2025-64343?

The Constructor tool from conda enables users to create custom installers for conda package collections. In versions up to and including 3.12.2, the installation directory inherits permissions from its parent directory, which can lead to overly permissive settings, allowing authenticated users to write within the directory. This creates a potential vulnerability for local users if the installation occurs in a shared directory. It is crucial to be aware of this exposure as modifications can be made by any logged-in user during both single-user and all-user installations, with permissions persisting after installation. Version 3.13.0 addresses this issue by enhancing the permission settings.

Affected Version(s)

constructor < 3.13.0

References

https://github.com/conda/constructor/security/advisories/...
x_refsource_CONFIRM
https://github.com/conda/constructor/commit/c368383710a7c...
x_refsource_MISC
https://github.com/conda/constructor/releases/tag/3.13.0
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64343 : Local File Permission Vulnerability in Constructor by conda