CVE-2025-49598— conda-forge-ci-setup Allows Arbitrary Code Execution via Insecure Version Parsing
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-49598
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
conda-forge-ci-setup Allows Arbitrary Code Execution via Insecure Version Parsing
Source: NVD (National Vulnerability Database)
Vulnerability Description
conda-forge-ci-setup is a package installed by conda-forge each time a build is run on CI. The conda-forge-ci-setup-feedstock setup script is vulnerable due to the unsafe use of the eval function when parsing version information from a custom-formatted meta.yaml file. An attacker controlling meta.yaml can inject malicious code into the version assignment, which is executed during file processing, leading to arbitrary code execution. Exploitation requires an attacker to modify the recipe file by manipulating the RECIPE_DIR variable and introducing a malicious meta.yaml file. While this is more feasible in CI/CD pipelines, it is uncommon in typical environments, reducing overall risk. This vulnerability is fixed in 4.15.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
动态执行代码中指令转义处理不恰当(Eval注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
conda forge ci-setup 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
conda forge ci-setup是conda forge社区的一个开源库。 conda forge ci-setup存在安全漏洞,该漏洞源于eval函数不安全使用,可能导致任意代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| conda-forge | conda-forge-ci-setup-feedstock | < 4.15.0 | - |
II. Public POCs for CVE-2025-49598
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-49598
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: conda-forge
- CVE-2025-49824
conda-smithy Insecure Encryption Vulnerable to Oracle Paddin - CVE-2025-49843
conda-smithy Has Incorrect Default File Permissions - CVE-2025-49842
conda-forge-webservices Privilege Escalation Risk via Defaul - CVE-2025-35471
conda-forge openssl-feedstock writable OPENSSLDIR - CVE-2025-32784
conda-forge-webservices has an Unauthorized Artifact Modific
Same weakness: CWE-95
- CVE-2026-44128
Unauthenticated Remote Code Execution - CVE-2026-42079
PPTAgent: Arbitrary Code Execution via Python eval() of LLM- - CVE-2026-6652
Pagekit CMS StringStorage Template PhpEngine.php evaluate ev - CVE-2026-33618
Chamilo LMS Affected by Remote Code Execution via eval() in - CVE-2026-5971
FoundationAgents MetaGPT XML action_node.py ActionNode.xml_f
V. Comments for CVE-2025-49598
No comments yet