CVE-2025-32800CRITICAL 9.8EPSS p41.4%

CVE-2025-32800CVE-2025-32800

Description

Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the package, and then exploit pip install commands by injecting the malicious dependency in the solve. This issue has been fixed in version 25.3.0. A workaround involves using --no-deps for pip install-ing the project from the repository.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.55% probability of exploitation · percentile 41.4% · 2026-06-18T12:00:27Z
Published2025-06-16
Last modified2025-08-01

Underlying weaknesses· 1

CWE-1357

References

  1. https://drive.google.com/file/d/18qe97zxcpTn2l84187A9meGCi2Wg-n_Y/view
  2. https://github.com/conda/conda-build/commit/f5a6aeef0d5d6940b8c2a88796910dc7476a62bb
  3. https://github.com/conda/conda-build/security/advisories/GHSA-83gh-p93g-cwgx

1

TypeTargetConfidenceTier
WeaknessReliance on Insufficiently Trustworthy Componentcwe-13570%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-32798
CVE
CVE-2025-32799
CVE
CVE-2025-47273
CVE
CVE-2026-8643
CVE
CVE-2025-1716
CVE
CVE-2025-10894
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.