CVE-2025-27510
CVE-2025-27510
9.3
CriticalPublished:
Last updated:
Source:security-advisories@github.com
Deferred
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- None
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- High
- Confidentiality (Subsequent)
- None
- Integrity (Subsequent)
- None
- Availability (Subsequent)
- None
Description
conda-forge-metadata provides programatic access to conda-forge's metadata. conda-forge-metadata uses an optional dependency - "conda-oci-mirror" which was neither present on the PyPi repository nor registered by any entity. If conda-oci-mirror is taken over by a threat actor, it can result in remote code execution.
References
security-advisories@github.com
https://github.com/conda-forge/conda-forge-metadata/blob/799aee36b21ee06289d73d57838b28201f5a57af/pyproject.toml#L28security-advisories@github.com
https://github.com/conda-forge/conda-forge-metadata/security/advisories/GHSA-vwfh-m3q7-9jpw134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/conda-forge/conda-forge-metadata/security/advisories/GHSA-vwfh-m3q7-9jpw