CVE-2025-49824— conda-smithy Insecure Encryption Vulnerable to Oracle Padding Attack
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-49824
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
conda-smithy Insecure Encryption Vulnerable to Oracle Padding Attack
Source: NVD (National Vulnerability Database)
Vulnerability Description
conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.47.1, the travis_encrypt_binstar_token implementation in the conda-smithy package has been identified as vulnerable to an Oracle Padding Attack. This vulnerability results from the use of an outdated and insecure padding scheme during RSA encryption. A malicious actor with access to an oracle system can exploit this flaw by iteratively submitting modified ciphertexts and analyzing responses to infer the plaintext without possessing the private key. This issue has been patched in version 3.47.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
conda-forge conda-smithy 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
conda-forge conda-smithy是conda-forge开源的一个用于管理康达锻造原料的工具。 conda-forge conda-smithy 3.47.1之前版本存在信息泄露漏洞,该漏洞源于travis_encrypt_binstar_token实现存在Oracle Padding攻击风险。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| conda-forge | conda-smithy | < 3.47.1 | - |
II. Public POCs for CVE-2025-49824
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-49824
请登录查看更多情报信息。
Same Patch Batch · conda-forge · 2025-06-17 · 3 CVEs total
| CVE-2025-49843 | conda-smithy Has Incorrect Default File Permissions | |
| CVE-2025-49842 | conda-forge-webservices Privilege Escalation Risk via Default Docker Root User |
IV. Related Vulnerabilities
Same vendor: conda-forge
- CVE-2025-49843
conda-smithy Has Incorrect Default File Permissions - CVE-2025-49842
conda-forge-webservices Privilege Escalation Risk via Defaul - CVE-2025-49598
conda-forge-ci-setup Allows Arbitrary Code Execution via Ins - CVE-2025-35471
conda-forge openssl-feedstock writable OPENSSLDIR - CVE-2025-32784
conda-forge-webservices has an Unauthorized Artifact Modific
Same weakness: CWE-200
- CVE-2026-42333
quarkus-openapi-generator has overly broad path-parameter ma - CVE-2026-8198
Activity Logs, User Activity Tracking, Multisite Activity Lo - CVE-2026-42456
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (ID - CVE-2026-41520
Cillium exposes sensitive information included in the cilium - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro
V. Comments for CVE-2025-49824
No comments yet