CVE-2025-32797 (GCVE-0-2025-32797)
Vulnerability from cvelistv5
Published
2025-06-16 18:46
Modified
2025-06-17 13:57
Severity ?
6.0 (Medium) - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
CWE
  • CWE-277 - Insecure Inherited Permissions
Summary
Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, the write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users. Attackers with filesystem access can exploit a race condition to overwrite the script before execution, enabling arbitrary code execution under the victim's privileges. This risk is significant in shared environments, potentially leading to full system compromise. Even with non-static directory names, attackers can monitor parent directories for file creation events. The brief window between script creation (with insecure permissions) and execution allows rapid overwrites. Directory names can also be inferred via timestamps or logs, and automation enables exploitation even with semi-randomized paths by acting within milliseconds of detection. This issue has been patched in version 25.3.1. A workaround involves restricting conda_build.sh permissions from 0o766 to 0o700 (owner-only read/write/execute). Additionally, use atomic file creation (write to a temporary randomized filename and rename atomically) to minimize the race condition window.
References
Impacted products
Vendor Product Version
conda conda-build Version: < 25.3.1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32797",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-17T13:56:56.517803Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-17T13:57:44.968Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "conda-build",
          "vendor": "conda",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 25.3.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, the write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users. Attackers with filesystem access can exploit a race condition to overwrite the script before execution, enabling arbitrary code execution under the victim\u0027s privileges. This risk is significant in shared environments, potentially leading to full system compromise. Even with non-static directory names, attackers can monitor parent directories for file creation events. The brief window between script creation (with insecure permissions) and execution allows rapid overwrites. Directory names can also be inferred via timestamps or logs, and automation enables exploitation even with semi-randomized paths by acting within milliseconds of detection. This issue has been patched in version 25.3.1. A workaround involves restricting conda_build.sh permissions from 0o766 to 0o700 (owner-only read/write/execute). Additionally, use atomic file creation (write to a temporary randomized filename and rename atomically) to minimize the race condition window."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-277",
              "description": "CWE-277: Insecure Inherited Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-16T19:57:20.412Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/conda/conda-build/security/advisories/GHSA-vfp6-3v8g-vcmm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/conda/conda-build/security/advisories/GHSA-vfp6-3v8g-vcmm"
        },
        {
          "name": "https://github.com/conda/conda-build/pull/5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/conda/conda-build/pull/5"
        },
        {
          "name": "https://github.com/conda/conda-build/commit/d246e49c8f45e8033915156ee3d77769926f3c2e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/conda/conda-build/commit/d246e49c8f45e8033915156ee3d77769926f3c2e"
        },
        {
          "name": "https://github.com/conda/conda-build/blob/3f06913bba22c4e1ef1065df9e00d86ac97f087c/conda_build/build.py#L3054-L3084",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/conda/conda-build/blob/3f06913bba22c4e1ef1065df9e00d86ac97f087c/conda_build/build.py#L3054-L3084"
        }
      ],
      "source": {
        "advisory": "GHSA-vfp6-3v8g-vcmm",
        "discovery": "UNKNOWN"
      },
      "title": "Conda-build Insecure Build Script Permissions Enabling Arbitrary Code Execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-32797",
    "datePublished": "2025-06-16T18:46:31.227Z",
    "dateReserved": "2025-04-10T12:51:12.282Z",
    "dateUpdated": "2025-06-17T13:57:44.968Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-32797\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-17T13:56:56.517803Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-17T13:57:39.584Z\"}}], \"cna\": {\"title\": \"Conda-build Insecure Build Script Permissions Enabling Arbitrary Code Execution\", \"source\": {\"advisory\": \"GHSA-vfp6-3v8g-vcmm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"conda\", \"product\": \"conda-build\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 25.3.1\"}]}], \"references\": [{\"url\": \"https://github.com/conda/conda-build/security/advisories/GHSA-vfp6-3v8g-vcmm\", \"name\": \"https://github.com/conda/conda-build/security/advisories/GHSA-vfp6-3v8g-vcmm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/conda/conda-build/pull/5\", \"name\": \"https://github.com/conda/conda-build/pull/5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/conda/conda-build/commit/d246e49c8f45e8033915156ee3d77769926f3c2e\", \"name\": \"https://github.com/conda/conda-build/commit/d246e49c8f45e8033915156ee3d77769926f3c2e\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/conda/conda-build/blob/3f06913bba22c4e1ef1065df9e00d86ac97f087c/conda_build/build.py#L3054-L3084\", \"name\": \"https://github.com/conda/conda-build/blob/3f06913bba22c4e1ef1065df9e00d86ac97f087c/conda_build/build.py#L3054-L3084\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, the write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users. Attackers with filesystem access can exploit a race condition to overwrite the script before execution, enabling arbitrary code execution under the victim\u0027s privileges. This risk is significant in shared environments, potentially leading to full system compromise. Even with non-static directory names, attackers can monitor parent directories for file creation events. The brief window between script creation (with insecure permissions) and execution allows rapid overwrites. Directory names can also be inferred via timestamps or logs, and automation enables exploitation even with semi-randomized paths by acting within milliseconds of detection. This issue has been patched in version 25.3.1. A workaround involves restricting conda_build.sh permissions from 0o766 to 0o700 (owner-only read/write/execute). Additionally, use atomic file creation (write to a temporary randomized filename and rename atomically) to minimize the race condition window.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-277\", \"description\": \"CWE-277: Insecure Inherited Permissions\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-16T19:57:20.412Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-32797\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-17T13:57:44.968Z\", \"dateReserved\": \"2025-04-10T12:51:12.282Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-16T18:46:31.227Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.