What is the severity of CVE-2025-31484?

CVE-2025-31484 is considered a high-severity vulnerability due to the potential unauthorized access it allows to feedstock maintainers.

How do I fix CVE-2025-31484?

To fix CVE-2025-31484, ensure that you update the conda-forge infrastructure to the latest version post April 01, 2025.

What are the potential impacts of CVE-2025-31484?

The impact of CVE-2025-31484 includes possible unauthorized code changes and configuration access by feedstock maintainers.

Who is affected by CVE-2025-31484?

CVE-2025-31484 affects all users and maintainers of the conda-forge infrastructure between February 10, 2025, and April 01, 2025.

Is there an exploit public for CVE-2025-31484?

As of now, there is no confirmed public exploit for CVE-2025-31484, but the vulnerability itself poses significant security risks.

Vulnerability/
CVE-2025-31484

critical

9.3

CWE

284

EPSS

0.041%

2/4/2025

CVE-2025-31484: conda-forge infrastructure uses a bad token for Azure's cf-staging access

First published: Wed Apr 02 2025(Updated: )

conda-forge infrastructure holds common configurations and settings for key pieces of the conda-forge infrastructure. Between 2025-02-10 and 2025-04-01, conda-forge infrastructure used the wrong token for Azure's cf-staging access. This bug meant that any feedstock maintainer could upload a package to the conda-forge channel, bypassing our feedstock-token + upload process. The security logs on anaconda.org were check for any packages that were not copied from the cf-staging to the conda-forge channel and none were found.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
conda-forge infrastructure	>=2025-02-10<2025-04-01

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-31484?
CVE-2025-31484 is considered a high-severity vulnerability due to the potential unauthorized access it allows to feedstock maintainers.
How do I fix CVE-2025-31484?
To fix CVE-2025-31484, ensure that you update the conda-forge infrastructure to the latest version post April 01, 2025.
What are the potential impacts of CVE-2025-31484?
The impact of CVE-2025-31484 includes possible unauthorized code changes and configuration access by feedstock maintainers.
Who is affected by CVE-2025-31484?
CVE-2025-31484 affects all users and maintainers of the conda-forge infrastructure between February 10, 2025, and April 01, 2025.
Is there an exploit public for CVE-2025-31484?
As of now, there is no confirmed public exploit for CVE-2025-31484, but the vulnerability itself poses significant security risks.

collector/mitre-cve
source/MITRE
agent/weakness
agent/title
agent/first-publish-date
agent/description
agent/type
agent/references
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/softwarecombine
collector/nvd-api
source/NVD
agent/severity
agent/last-modified-date
agent/author
agent/event
collector/epss-latest
source/FIRST
agent/source
agent/tags
agent/epss
vendor/conda-forge
canonical/conda-forge infrastructure

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.