Description
conda-forge-metadata provides programatic access to conda-forge's metadata. conda-forge-metadata uses an optional dependency - "conda-oci-mirror" which was neither present on the PyPi repository nor registered by any entity. If conda-oci-mirror is taken over by a threat actor, it can result in remote code execution.
Scores
CVSS v4
9.3
EPSS
0.0632
EPSS Percentile
91.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-829
Status
published
Products (1)
conda-forge/conda-forge-metadata
<= 0.4.1
Published
Mar 04, 2025
Tracked Since
Feb 18, 2026