CVE-2025-31484

Name of the Vulnerable Software and Affected Versions conda-forge infrastructure (affected versions not specified)

Description A bug in the conda-forge infrastructure allowed any feedstock maintainer to upload a package to the conda-forge channel, bypassing the feedstock-token + upload process, between 2025-02-10 and 2025-04-01. The issue was related to the use of the wrong token for Azure's cf-staging access. Security logs on anaconda.org were checked, and no unauthorized packages were found to have been uploaded.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.