CVE-2025-32784

Name of the Vulnerable Software and Affected Versions conda-forge-webservices versions prior to 2025.4.10

Description A Time-of-Check to Time-of-Use (TOCTOU) issue has been identified in the conda-forge-webservices component, which can be exploited to introduce unauthorized modifications to build artifacts stored in the cf-staging Anaconda channel. This may result in the unauthorized publication of malicious artifacts to the production conda-forge channel. The core issue is due to the absence of atomicity between the hash validation and the artifact copy operation, allowing an attacker with access to the cf-staging token to overwrite the validated artifact with a malicious version immediately after hash verification, but before the copy action is executed. This can be done using the anaconda upload --force command.

Recommendations For versions prior to 2025.4.10, update to version 2025.4.10 to fix the vulnerability. As a temporary workaround, consider restricting access to the cf-staging token and limiting the use of the anaconda upload --force command to minimize the risk of exploitation.