Description

(conda) Constructor is a tool that enables users to create installers for conda package collections. In versions 3.12.2 and below, the installation directory inherits permissions from its parent directory. Outside of restricted directories, the permissions are very permissive and often allow write access by authenticated users. Any logged in user can make modifications during the installation for both single-user and all-user installations. This constitutes a local attack vector if the installation is in a directory local users have access to. For single-user installations in a shared directory, these permissions persist after the installation. This issue is fixed in version 3.13.0.

INFO

Published Date :

2025-11-07T05:20:38.659Z

Last Modified :

2025-11-07T05:20:38.659Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64343 vulnerability.

Vendors Products
Conda
  • Constructor
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64343.

URL Resource
https://github.com/conda/constructor/commit/c368383710a7c2b81ad1b0ecb9724b38d3577447 cve-icon cve-icon
https://github.com/conda/constructor/releases/tag/3.13.0 cve-icon cve-icon
https://github.com/conda/constructor/security/advisories/GHSA-vvpr-2qg4-2mrq cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact