RCE in Conda-forge Conda-forge-ci-setup-feedstock
CVE-2025-49598
conda-forge-ci-setup is a package installed by conda-forge each time a build is run on CI. The conda-forge-ci-setup-feedstock setup script is vulnerable due to the unsafe use of the eval function when parsing version information from a cus…
EPSS: 0.002 (4.6th percentile) — read the EPSS interpretation.
Affected products
- Conda-forge Conda-forge-ci-setup-feedstock — versions < 4.15.0
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)