CVE-2025-27510

N/A Unknown

Published: March 04, 2025 Modified: April 15, 2026

Description

conda-forge-metadata provides programatic access to conda-forge's metadata. conda-forge-metadata uses an optional dependency - "conda-oci-mirror" which was neither present on the PyPi repository nor registered by any entity. If conda-oci-mirror is taken over by a threat actor, it can result in remote code execution.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/conda-forge/conda-forge-metadata/blob/799aee36b21ee06289d73d57838b28201f5a57af/pyproject.toml#L28

Source: security-advisories@github.com

https://github.com/conda-forge/conda-forge-metadata/security/advisories/GHSA-vwfh-m3q7-9jpw

Source: security-advisories@github.com

https://github.com/conda-forge/conda-forge-metadata/security/advisories/GHSA-vwfh-m3q7-9jpw

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

N/A / 10.0

EPSS (Exploit Probability)

6.3%

91th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-829

Related CVEs

CVE-2026-41907 N/A

CVE-2026-41894 N/A

CVE-2026-41492 9.8

CVE-2026-41421 8.8

CVE-2026-41419 7.6