CVE-2025-49843— conda-smithy Has Incorrect Default File Permissions
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-49843
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
conda-smithy Has Incorrect Default File Permissions
Source: NVD (National Vulnerability Database)
Vulnerability Description
conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.47.1, the travis_headers function in the conda-smithy repository creates files with permissions exceeding 0o600, allowing read and write access beyond the intended user/owner. This violates the principle of least privilege, which mandates restricting file permissions to the minimum necessary. An attacker could exploit this to access configuration files in shared hosting environments. This issue has been patched in version 3.47.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
缺省权限不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
conda-forge conda-smithy 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
conda-forge conda-smithy是conda-forge开源的一个用于管理康达锻造原料的工具。 conda-forge conda-smithy 3.47.1之前版本存在安全漏洞,该漏洞源于travis_headers函数创建的文件权限过高,可能导致配置文件泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| conda-forge | conda-smithy | < 3.47.1 | - |
II. Public POCs for CVE-2025-49843
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-49843
请登录查看更多情报信息。
Same Patch Batch · conda-forge · 2025-06-17 · 3 CVEs total
| CVE-2025-49842 | conda-forge-webservices Privilege Escalation Risk via Default Docker Root User | |
| CVE-2025-49824 | conda-smithy Insecure Encryption Vulnerable to Oracle Padding Attack |
IV. Related Vulnerabilities
Same vendor: conda-forge
- CVE-2025-49824
conda-smithy Insecure Encryption Vulnerable to Oracle Paddin - CVE-2025-49842
conda-forge-webservices Privilege Escalation Risk via Defaul - CVE-2025-49598
conda-forge-ci-setup Allows Arbitrary Code Execution via Ins - CVE-2025-35471
conda-forge openssl-feedstock writable OPENSSLDIR - CVE-2025-32784
conda-forge-webservices has an Unauthorized Artifact Modific
Same weakness: CWE-276
- CVE-2026-0539
Local Privilege Escalation in pcvisit service client - CVE-2026-6823
HKUDS OpenHarness Insecure Default Remote Channel Allowlist - CVE-2026-6819
HKUDS OpenHarness Plugin Management Command Exposure - CVE-2026-39454
SKYSEA Client View 安全漏洞 - CVE-2026-30811
Missing Authorization in Configuration Ajax Endpoint leads t
V. Comments for CVE-2025-49843
No comments yet