Vulnerability Description
Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal (Tarslip) attacks due to improper sanitization of tar entry paths. Attackers can craft tar archives containing entries with directory traversal sequences to write files outside the intended extraction directory. This could lead to arbitrary file overwrites, privilege escalation, or code execution if sensitive locations are targeted. This issue has been patched in version 25.4.0.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Anaconda | Conda-Build | < 25.4.0 |
Related Weaknesses (CWE)
References
- https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77eProduct
- https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77eProduct
- https://github.com/conda/conda-build/commit/bdf5e0022cec9a0c1378cca3f2dc8c92b483Patch
- https://github.com/conda/conda-build/security/advisories/GHSA-h499-pxgj-qh5hExploitVendor Advisory
- https://github.com/conda/conda-build/security/advisories/GHSA-h499-pxgj-qh5hExploitVendor Advisory
FAQ
What is CVE-2025-32799?
CVE-2025-32799 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal (Tarslip) attacks due to improper sanitizatio...
How severe is CVE-2025-32799?
CVE-2025-32799 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-32799?
Check the references section above for vendor advisories and patch information. Affected products include: Anaconda Conda-Build.