Beckermr

**Name of the Vulnerable Software and Affected Versions** conda-forge-webservices versions prior to 2025.4.10 **Description** A Time-of-Check to Time-of-Use (TOCTOU) issue has been identified in the conda-forge-webservices component, which can be exploited to introduce unauthorized modifications to build artifacts stored in the cf-staging Anaconda channel. This may result in the unauthorized publication of malicious artifacts to the production conda-forge channel. The core issue is due to the absence of atomicity between the hash validation and the artifact copy operation, allowing an attacker with access to the cf-staging token to overwrite the validated artifact with a malicious version immediately after hash verification, but before the copy action is executed. This can be done using the `anaconda upload --force` command. **Recommendations** For versions prior to 2025.4.10, update to version 2025.4.10 to fix the vulnerability. As a temporary workaround, consider restricting access to the cf-staging token and limiting the use of the `anaconda upload --force` command to minimize the risk of exploitation.