CVE-2025-49823

Name of the Vulnerable Software and Affected Versions Conda Constructor versions prior to 3.11.3

Description The issue concerns the Conda Constructor, a tool for creating installers for conda packages. Prior to version 3.11.3, the shell installer scripts process the installation prefix using an eval statement, which executes unsanitized user input as shell code. This allows an attacker to inject arbitrary commands through a malicious path during installation, although it requires explicit user action. The script runs with user privileges, not root.

Recommendations For versions prior to 3.11.3, update to version 3.11.3 to resolve the issue. As a temporary workaround, consider avoiding the use of the shell installer scripts until the update is applied.