CVE-2025-49842

Name of the Vulnerable Software and Affected Versions conda-forge-webservices versions prior to 2025.3.24

Description The conda-forge-webservices web app, used to run conda-forge admin commands and linting, has an issue where the conda forge webservice Docker container executes commands without specifying a user, defaulting to the root user. This increases the risk of privilege escalation and host compromise if a vulnerability is exploited.

Recommendations For versions prior to 2025.3.24, update to version 2025.3.24 to resolve the issue. As a temporary workaround, consider configuring the Docker container to run as a non-root user until the patch is applied.