We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-32800

Conda-build vulnerable to supply chain attack vector due to pyproject.toml referring to dependencies not present in PyPI



Description

Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the package, and then exploit pip install commands by injecting the malicious dependency in the solve. This issue has been fixed in version 25.3.0. A workaround involves using --no-deps for pip install-ing the project from the repository.

Reserved 2025-04-10 | Published 2025-06-16 | Updated 2025-06-16 | Assigner GitHub_M


HIGH: 7.2CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Problem types

CWE-1357: Reliance on Insufficiently Trustworthy Component

Product status

< 25.3.0
affected

References

github.com/...-build/security/advisories/GHSA-83gh-p93g-cwgx

github.com/...ommit/f5a6aeef0d5d6940b8c2a88796910dc7476a62bb

drive.google.com/...d/18qe97zxcpTn2l84187A9meGCi2Wg-n_Y/view

cve.org (CVE-2025-32800)

nvd.nist.gov (CVE-2025-32800)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-32800

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.