CVE-2025-32797
📋 TL;DR
CVE-2025-32797 is a local privilege escalation vulnerability in conda-build where the temporary build script conda_build.sh is created with overly permissive file permissions (0o766). Attackers with filesystem access can exploit a race condition to overwrite this script before execution, enabling arbitrary code execution under the victim's privileges. This primarily affects users in shared environments like multi-user systems, CI/CD pipelines, or containerized builds.
💻 Affected Systems
- conda-build
📦 What is this software?
Conda Build by Anaconda
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution with the victim's privileges, potentially leading to lateral movement, data exfiltration, or complete host takeover.
Likely Case
Local privilege escalation in shared environments where attackers can monitor filesystem events, leading to unauthorized code execution during package builds.
If Mitigated
Limited to authenticated users with filesystem access; proper permissions and isolation reduce impact to individual user contexts.
🎯 Exploit Status
Exploitation requires filesystem access and precise timing (race condition). Attackers need to monitor directory events and overwrite the script within milliseconds of creation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.3.1
Vendor Advisory: https://github.com/conda/conda-build/security/advisories/GHSA-vfp6-3v8g-vcmm
Restart Required: No
Instructions:
1. Update conda-build using: conda update conda-build
2. Verify version: conda-build --version
3. Ensure version is 25.3.1 or higher
🔧 Temporary Workarounds
Restrict script permissions
linuxManually change conda_build.sh permissions from 0o766 to 0o700 (owner-only access) before execution
chmod 700 conda_build.sh
Use atomic file operations
allImplement atomic file creation by writing to temporary randomized filenames and renaming atomically
🧯 If You Can't Patch
- Isolate conda-build processes to dedicated, non-shared directories with strict permissions
- Implement filesystem monitoring to detect unauthorized modifications to conda_build.sh scripts
🔍 How to Verify
Check if Vulnerable:
Check conda-build version: conda-build --version. If version is less than 25.3.1, system is vulnerable.Check Version:
conda-build --versionVerify Fix Applied:
Verify conda-build version is 25.3.1 or higher and test that conda_build.sh files are created with secure permissions (0o700).📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to conda_build.sh files
- Multiple rapid file creation/deletion events in build directories
- Suspicious process execution from conda build contexts
Network Indicators:
- None - this is a local filesystem vulnerability
SIEM Query:
File modification events where target_path LIKE '%conda_build.sh' AND permissions_changed_to != '0700'🔗 References
- https://github.com/conda/conda-build/blob/3f06913bba22c4e1ef1065df9e00d86ac97f087c/conda_build/build.py#L3054-L3084
- https://github.com/conda/conda-build/commit/d246e49c8f45e8033915156ee3d77769926f3c2e
- https://github.com/conda/conda-build/pull/5
- https://github.com/conda/conda-build/security/advisories/GHSA-vfp6-3v8g-vcmm
