CVE-2025-64343

Published: Nov 7, 2025

Modified: Nov 7, 2025

PUBLISHED

CVSS v3.1

7.8

HIGH

Description

(conda) Constructor is a tool that enables users to create installers for conda package collections. In versions 3.12.2 and below, the installation directory inherits permissions from its parent directory. Outside of restricted directories, the permissions are very permissive and often allow write access by authenticated users. Any logged in user can make modifications during the installation for both single-user and all-user installations. This constitutes a local attack vector if the installation is in a directory local users have access to. For single-user installations in a shared directory, these permissions persist after the installation. This issue is fixed in version 3.13.0.

Vendor	Product	Versions
conda	constructor	affected `< 3.13.0`

Weaknesses (CWE)

CWE-289

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/conda/constructor/security/advisories/GHSA-vvpr-2qg4-2mrq

x_refsource_CONFIRM

https://github.com/conda/constructor/commit/c368383710a7c2b81ad1b0ecb9724b38d3577447

x_refsource_MISC

https://github.com/conda/constructor/releases/tag/3.13.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-64343

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References