CVE-2025-35471

Name of the Vulnerable Software and Affected Versions conda-forge openssl-feedstock versions before 066e83c (2024-05-20) Miniforge versions prior to 24.5.0

Description The issue allows a non-privileged local user to execute arbitrary code with the privileges of the user or process loading openssl-feedstock DLLs by writing a specially crafted openssl.cnf file in the OPENSSLDIR. This is due to the configuration of OpenSSL to use an OPENSSLDIR file path that can be written to by non-privileged local users on Microsoft Windows.

Recommendations For conda-forge openssl-feedstock versions before 066e83c (2024-05-20), update to a version after 066e83c (2024-05-20) to resolve the issue. For Miniforge versions prior to 24.5.0, update to version 24.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the OPENSSLDIR to prevent non-privileged users from writing to it.