QwikSec

Security Database

CVE

CWE

Training

CVE-2025-32799

Published: Jun 16, 2025

Modified: Jun 17, 2025

PUBLISHED

Description

Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal (Tarslip) attacks due to improper sanitization of tar entry paths. Attackers can craft tar archives containing entries with directory traversal sequences to write files outside the intended extraction directory. This could lead to arbitrary file overwrites, privilege escalation, or code execution if sensitive locations are targeted. This issue has been patched in version 25.4.0.

Vendor	Product	Versions
conda	conda-build	affected `< 25.4.0`

Weaknesses (CWE)

References

https://github.com/conda/conda-build/security/advisories/GHSA-h499-pxgj-qh5h

x_refsource_CONFIRM

https://github.com/conda/conda-build/commit/bdf5e0022cec9a0c1378cca3f2dc8c92b4834673

x_refsource_MISC

https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77ee5/conda_build/convert.py

x_refsource_MISC

https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77ee5/conda_build/render.py

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.