CVE-2025-64343
📋 TL;DR
CVE-2025-64343 is a local privilege escalation vulnerability in Constructor (conda installer tool) where installation directories inherit overly permissive permissions from parent directories. This allows any authenticated local user to modify installation files during or after installation. Users who install conda packages in shared directories or multi-user systems are affected.
💻 Affected Systems
- conda Constructor
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious local users could replace legitimate conda packages with malicious versions, leading to code execution with installer privileges, data theft, or system compromise.
Likely Case
Local users with access to shared directories could tamper with conda installations, causing package corruption, installation failures, or unauthorized modifications.
If Mitigated
With proper directory permissions and isolated installations, impact is limited to denial of service through file modification in accessible directories.
🎯 Exploit Status
Exploitation requires local authenticated access and knowledge of installation directory locations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.13.0
Vendor Advisory: https://github.com/conda/constructor/security/advisories/GHSA-vvpr-2qg4-2mrq
Restart Required: No
Instructions:
1. Update Constructor using: conda update constructor 2. Verify installation with: constructor --version 3. Recreate any existing installers with the updated version
🔧 Temporary Workarounds
Restrict installation directory permissions
allManually set restrictive permissions on installation directories to prevent unauthorized write access
chmod 755 /installation/path (Linux)
icacls /installation/path /inheritance:r /grant:r "Users:(OI)(CI)RX" (Windows)
Use isolated installation directories
allInstall conda packages in user-specific directories not accessible to other users
export CONDA_PREFIX=$HOME/.local/conda (Linux)
set CONDA_PREFIX=%USERPROFILE%\.conda (Windows)
🧯 If You Can't Patch
- Install conda packages in user-specific directories with restrictive permissions (700 on Linux, user-only access on Windows)
- Monitor installation directories for unauthorized file modifications using file integrity monitoring tools
🔍 How to Verify
Check if Vulnerable:
Check Constructor version with: constructor --version. If version is 3.12.2 or below, system is vulnerable.Check Version:
constructor --versionVerify Fix Applied:
Verify version is 3.13.0 or higher with: constructor --version. Check installation directory permissions are not overly permissive.📡 Detection & Monitoring
Log Indicators:
- Unexpected file modifications in conda installation directories
- Failed package integrity checks
- Permission changes in installation directories
Network Indicators:
- None - this is a local file system vulnerability
SIEM Query:
File modification events in conda installation paths by non-owner users OR Process execution from unexpected locations in conda directories