CVE-2025-32800

Name of the Vulnerable Software and Affected Versions Conda-build versions prior to 25.3.0

Description The issue concerns a dependency injection vulnerability. Conda-build lists conda-index as a Python dependency in its pyproject.toml file. Since conda-index is not published in PyPI, an attacker could claim this namespace, upload malicious code, and exploit pip install commands by injecting the malicious dependency.

Recommendations For versions prior to 25.3.0, update to version 25.3.0 to resolve the issue. As a temporary workaround, consider using the --no-deps option for pip install commands when installing the project from the repository.