CVE-2025-32799
Published: 16 June 2025
Summary
CVE-2025-32799 is a medium-severity Path Traversal (CWE-22) vulnerability in Anaconda Conda-Build. Its CVSS base score is 5.6 (Medium).
Operationally, ranked in the top 15.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Conda-build, a set of commands and tools used to build conda packages, is affected by CVE-2025-32799 prior to version 25.4.0. The vulnerability is a path traversal issue, also known as Tarslip, that stems from insufficient sanitization of paths inside tar archives during extraction. An attacker-supplied tar can contain entries with directory traversal sequences such as “../”, allowing files to be written outside the intended target directory.
An unauthenticated attacker who can supply a malicious tar archive to conda-build processing logic can achieve arbitrary file overwrites. Successful exploitation may result in privilege escalation or arbitrary code execution when sensitive system locations are targeted. The attack requires user interaction to process the crafted archive and carries a CVSS 4.0 score of 5.6 with proof-of-concept exploit code noted.
The official GitHub Security Advisory GHSA-h499-pxgj-qh5h and the corresponding patch commit confirm that the issue is resolved in conda-build 25.4.0. Users are advised to upgrade immediately; the referenced source files in convert.py and render.py illustrate the locations where path sanitization was strengthened. The EPSS score has remained flat at 0.0217 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18459
Vulnerability details
Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal (Tarslip) attacks due to improper sanitization of tar entry paths. Attackers can craft tar archives containing entries with…
more
directory traversal sequences to write files outside the intended extraction directory. This could lead to arbitrary file overwrites, privilege escalation, or code execution if sensitive locations are targeted. This issue has been patched in version 25.4.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.