Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

conda-forge — Vulnerabilities & Security Advisories 8

Browse all 8 CVE security advisories affecting conda-forge. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Conda-forge serves as a community-driven distribution channel for conda packages, enabling cross-platform package management for scientific computing and data analysis. Historically, vulnerabilities have included remote code execution through package tampering, cross-site scripting in web interfaces, and privilege escalation via compromised build systems. While no major public security incidents have been documented, the platform maintains 8 CVEs on record, primarily related to insecure package dependencies and insufficient input validation in build processes. Security measures include automated package scanning and community review, though the distributed nature of contributions presents inherent risks for supply chain attacks.

Top products by conda-forge: conda-forge-webservices conda-smithy conda-forge-metadata infrastructure openssl-feedstock conda-forge-ci-setup-feedstock
CVE IDTitleCVSSSeverityPublished
CVE-2025-49824 conda-smithy Insecure Encryption Vulnerable to Oracle Padding Attack — conda-smithyCWE-200 5.9AIMediumAI2025-06-17
CVE-2025-49843 conda-smithy Has Incorrect Default File Permissions — conda-smithyCWE-276 8.1AIHighAI2025-06-17
CVE-2025-49842 conda-forge-webservices Privilege Escalation Risk via Default Docker Root User — conda-forge-webservicesCWE-276 10.0AICriticalAI2025-06-17
CVE-2025-49598 conda-forge-ci-setup Allows Arbitrary Code Execution via Insecure Version Parsing — conda-forge-ci-setup-feedstockCWE-95 9.8AICriticalAI2025-06-13
CVE-2025-35471 conda-forge openssl-feedstock writable OPENSSLDIR — openssl-feedstockCWE-427 7.3 High2025-05-13
CVE-2025-32784 conda-forge-webservices has an Unauthorized Artifact Modification Race Condition — conda-forge-webservicesCWE-367 5.9AIMediumAI2025-04-15
CVE-2025-31484 conda-forge infrastructure uses a bad token for Azure's cf-staging access — infrastructureCWE-284 8.8AIHighAI2025-04-02
CVE-2025-27510 RCE in the package conda-forge-metadata — conda-forge-metadataCWE-829 9.8 -2025-03-04

This page lists every published CVE security advisory associated with conda-forge. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.