CVE-2025-32800 HIGH

CVE-2025-32800: Conda-build vulnerable to supply chain attack vector due to pyproject.toml referring to dependencies not present in PyPI

Vendor Conda
Product conda-build
Weakness CWE-1357
Published June 16, 2025
Last update June 17, 2025

CVSS base score

7.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the package, and then exploit pip install commands by injecting the malicious dependency in the solve. This issue has been fixed in version 25.3.0. A workaround involves using --no-deps for pip install-ing the project from the repository.

Key dates

02Disclosure timeline

June 16, 2025 CVE published
June 17, 2025 Record updated