Description

(conda) Constructor is a tool which allows constructing an installer for a collection of conda packages. Prior to version 3.11.3, shell installer scripts process the installation prefix (user_prefix) using an eval statement, which executes unsanitized user input as shell code. Although the script runs with user privileges (not root), an attacker could exploit this by injecting arbitrary commands through a malicious path during installation. Exploitation requires explicit user action. This issue has been patched in version 3.11.3.

INFO

Published Date :

2025-06-17T02:21:17.496Z

Last Modified :

2025-06-17T15:52:25.295Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-49823 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-49823.

URL Resource
https://github.com/conda/constructor/commit/ce4c2d58cfcde2f62d038fb8aba013176c77a0b1 cve-icon cve-icon
https://github.com/conda/constructor/security/advisories/GHSA-44q9-rg2q-5g99 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact