CVE-2025-32784: conda-forge-webservices has an Unauthorized Artifact Modification Race Condition

First published: Tue Apr 15 2025(Updated: )

conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. In versions prior to 2025.4.10, a race condition vulnerability has been identified in the conda-forge-webservices component used within the shared build infrastructure. This vulnerability, categorized as a Time-of-Check to Time-of-Use (TOCTOU) issue, can be exploited to introduce unauthorized modifications to build artifacts stored in the cf-staging Anaconda channel. Exploitation may result in the unauthorized publication of malicious artifacts to the production conda-forge channel. The core vulnerability results from the absence of atomicity between the hash validation and the artifact copy operation. This gap allows an attacker, with access to the cf-staging token, to overwrite the validated artifact with a malicious version immediately after hash verification, but before the copy action is executed. As the cf-staging channel permits artifact overwrites, such an operation can be carried out using the anaconda upload --force command. This vulnerability is fixed in 2025.4.10.

Credit: security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/mitre-cve
• source/MITRE
• agent/references
• agent/title
• agent/weakness
• agent/type
• agent/first-publish-date
• agent/description
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• agent/softwarecombine
• collector/nvd-api
• source/NVD
• agent/severity
• agent/last-modified-date
• agent/source
• agent/tags
• agent/author
• agent/event
• vendor/conda-forge
• canonical/conda-forge-webservices