CVE-2025-27510
Published: 04 March 2025
Description
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Security Summary
CVE-2025-27510 is a vulnerability in the conda-forge-metadata package, which provides programmatic access to conda-forge's metadata. The issue arises from an optional dependency on "conda-oci-mirror", a package name that was neither present on the PyPI repository nor registered by any entity. This configuration aligns with CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), creating a risk where a threat actor could claim the package name and introduce malicious code, potentially resulting in remote code execution.
The vulnerability can be exploited by any threat actor who registers the unclaimed "conda-oci-mirror" package on PyPI and uploads a malicious version. Users of conda-forge-metadata who enable or install this optional dependency are at risk, as it would lead to execution of the attacker's code on their systems, enabling remote code execution.
Mitigation details are outlined in the GitHub security advisory GHSA-vwfh-m3q7-9jpw for conda-forge-metadata, available at https://github.com/conda-forge/conda-forge-metadata/security/advisories/GHSA-vwfh-m3q7-9jpw. The dependency is declared in the project's pyproject.toml file at https://github.com/conda-forge/conda-forge-metadata/blob/799aee36b21ee06289d73d57838b28201f5a57af/pyproject.toml#L28.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes inclusion of an unclaimed optional dependency (CWE-829) that an attacker can register on PyPI with malicious code, directly enabling compromise of software dependencies for RCE.