CVE-2025-32797

Name of the Vulnerable Software and Affected Versions conda-build versions prior to 25.3.1

Description The issue in conda-build allows attackers with filesystem access to exploit a race condition and overwrite a temporary build script, potentially leading to arbitrary code execution under the victim's privileges. This risk is significant in shared environments and could result in full system compromise. Attackers can monitor parent directories for file creation events, infer directory names via timestamps or logs, and use automation to exploit the issue rapidly.

Recommendations For versions prior to 25.3.1, consider updating to version 25.3.1 to resolve the issue. As a temporary workaround, restrict conda build.sh permissions from 0o766 to 0o700 (owner-only read/write/execute). Use atomic file creation (write to a temporary randomized filename and rename atomically) to minimize the race condition window.