CVE-2025-32798
📋 TL;DR
CVE-2025-32798 allows arbitrary code execution during conda package builds due to unsafe eval() usage in recipe selectors. Attackers can inject malicious code into meta.yaml files to execute commands on build systems. This affects anyone using conda-build to create or process conda packages.
💻 Affected Systems
- conda-build
📦 What is this software?
Conda Build by Anaconda
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of build infrastructure leading to supply chain attacks, credential theft, lateral movement, and persistent backdoors in distributed packages.
Likely Case
Malicious package maintainers or compromised repositories executing arbitrary code on developer/build systems to steal credentials or modify other packages.
If Mitigated
Limited to isolated build environments with no network access or sensitive data, resulting in minimal impact.
🎯 Exploit Status
Exploitation requires ability to modify or submit meta.yaml files to conda-build, which could occur through package repositories, CI/CD pipelines, or developer workflows.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.4.0
Vendor Advisory: https://github.com/conda/conda-build/security/advisories/GHSA-6cc8-c3c9-3rgr
Restart Required: No
Instructions:
1. Update conda-build using: conda update conda-build
2. Or install specific version: conda install conda-build=25.4.0
3. Verify installation with: conda-build --version
🔧 Temporary Workarounds
Disable selector processing
allAvoid processing meta.yaml files with embedded selectors by using static configurations
Use --no-selectors flag if available in your workflow
Manually review and sanitize all meta.yaml files before processing
Isolate build environments
allRun conda-build in isolated containers or VMs with minimal privileges
docker run --rm -v $(pwd):/build conda/miniconda3 conda-build /build
Use CI/CD systems with ephemeral build environments
🧯 If You Can't Patch
- Implement strict code review for all meta.yaml files before build processing
- Run conda-build in sandboxed environments with no network access or sensitive credentials
🔍 How to Verify
Check if Vulnerable:
Run: conda-build --version and check if version is less than 25.4.0Check Version:
conda-build --versionVerify Fix Applied:
Confirm conda-build version is 25.4.0 or higher with: conda-build --version📡 Detection & Monitoring
Log Indicators:
- Unexpected process execution during conda-build runs
- Suspicious commands in build logs
- Failed build attempts with unusual error patterns
Network Indicators:
- Unexpected outbound connections from build systems during package processing
- Downloads from unusual sources during builds
SIEM Query:
process_name:"conda-build" AND (command_line:"eval" OR command_line:"exec" OR command_line:"import os" OR command_line:"subprocess")🔗 References
- https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77ee5/conda_build/metadata.py
- https://github.com/conda/conda-build/commit/3d87213b840774a24ab1733664d2b36664233754
- https://github.com/conda/conda-build/security/advisories/GHSA-6cc8-c3c9-3rgr
- https://github.com/conda/conda-build/security/advisories/GHSA-6cc8-c3c9-3rgr
