CVE-2025-64343

Name of the Vulnerable Software and Affected Versions conda Constructor versions 3.12.2 and below

Description conda Constructor is a tool used to create installers for conda package collections. Versions 3.12.2 and earlier have a configuration where the installation directory receives permissions from its parent directory. When installed outside of restricted directories, these permissions are overly permissive, often granting write access to authenticated users. This allows any logged-in user to make changes during installation, presenting a local attack vector. For single-user installations within shared directories, these permissions remain after installation.

Recommendations Update to version 3.13.0 or later.