CVE-2025-49843
June 17, 2025
conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.47.1, the travis_headers function in the conda-smithy repository creates files with permissions exceeding 0o600, allowing read and write access beyond the intended user/owner. This violates the principle of least privilege, which mandates restricting file permissions to the minimum necessary. An attacker could exploit this to access configuration files in shared hosting environments. This issue has been patched in version 3.47.1.
Affected Packages
conda-smithy (CONDA):
Affected version(s) >=0.1.0dev <3.47.1Fix Suggestion:
Update to version 3.47.1https://github.com/conda-forge/conda-smithy.git (GITHUB):
Affected version(s) >=v0.2 <v3.47.1Fix Suggestion:
Update to version v3.47.1Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
2.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
Exploit Maturity
UNREPORTED
CVSS v3
Base Score:
7.2
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Incorrect Default Permissions
EPSS
Base Score:
0.07
