CVE-2025-32799CRITICAL 9.8EPSS p65.9%

CVE-2025-32799CVE-2025-32799

Description

Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal (Tarslip) attacks due to improper sanitization of tar entry paths. Attackers can craft tar archives containing entries with directory traversal sequences to write files outside the intended extraction directory. This could lead to arbitrary file overwrites, privilege escalation, or code execution if sensitive locations are targeted. This issue has been patched in version 25.4.0.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.26% probability of exploitation · percentile 65.9% · 2026-06-19T12:03:05Z
Published2025-06-16
Last modified2025-07-02

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77ee5/conda_build/convert.py
  2. https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77ee5/conda_build/render.py
  3. https://github.com/conda/conda-build/commit/bdf5e0022cec9a0c1378cca3f2dc8c92b4834673
  4. https://github.com/conda/conda-build/security/advisories/GHSA-h499-pxgj-qh5h
  5. https://github.com/conda/conda-build/security/advisories/GHSA-h499-pxgj-qh5h

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-32798
CVE
CVE-2025-32800
CVE
CVE-2025-0377
CVE
CVE-2025-4517
CVE
CVE-2025-15031
CVE
CVE-2025-69874
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.