CVE-2025-27510: RCE in the package conda-forge-metadata

9.3 CVSS

Description

conda-forge-metadata provides programatic access to conda-forge's metadata. conda-forge-metadata uses an optional dependency - "conda-oci-mirror" which was neither present on the PyPi repository nor registered by any entity. If conda-oci-mirror is taken over by a threat actor, it can result in remote code execution.

Classification

CVE ID: CVE-2025-27510

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem Types

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

Affected Products

Vendor: conda-forge

Product: conda-forge-metadata

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.25% (probability of being exploited)

EPSS Percentile: 45.78% (scored less or equal to compared to others)

EPSS Date: 2025-04-02 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27510
https://github.com/conda-forge/conda-forge-metadata/security/advisories/GHSA-vwfh-m3q7-9jpw
https://github.com/conda-forge/conda-forge-metadata/blob/799aee36b21ee06289d73d57838b28201f5a57af/pyproject.toml#L28

Timeline

2025-03-04 22:40:13 UTC
CVE

RCE in the package conda-forge-metadata