Home > Vulnerability Database > CVE-2025-49824

Mend.io Vulnerability Database

CVE-2025-49824

Good to know:

Date: June 17, 2025

conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.47.1, the travis_encrypt_binstar_token implementation in the conda-smithy package has been identified as vulnerable to an Oracle Padding Attack. This vulnerability results from the use of an outdated and insecure padding scheme during RSA encryption. A malicious actor with access to an oracle system can exploit this flaw by iteratively submitting modified ciphertexts and analyzing responses to infer the plaintext without possessing the private key. This issue has been patched in version 3.47.1.

Severity Score

5.8

Related Resources (5)

Url: https://github.com/conda-forge/conda-smithy/commit/24cc0a55a363479e797c825be3a7f2603ef374a1

Url: https://github.com/conda-forge/conda-smithy/blob/46a06524eeeb7f59e0969c3967ce5f700643d322/conda_smithy/ci_register.py#L447

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-49824

Url: https://github.com/conda-forge/conda-smithy/security/advisories/GHSA-2xf4-hg9q-m58q

Url: https://www.mend.io/vulnerability-database/CVE-2025-49824

Severity Score

5.8

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Top Fix

Upgrade Version

Upgrade to version conda-smithy - 3.47.1;https://github.com/conda-forge/conda-smithy.git - v3.47.1

Learn More

CVSS v3.1

Base Score:	5.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-49824

Good to know:

Date: June 17, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?