conda-forge conda-forge-metadata Remote Code Execution Vulnerability via Malicious Dependency

A remote code execution vulnerability exists in the conda-forge-metadata package, specifically in versions 0.4.1 and prior. The issue arises from an optional dependency, conda-oci-mirror, which is not available on the PyPi repository or registered by any entity. If a threat actor takes control of this dependency, it could lead to arbitrary code execution on the user's system.

Impact

Exploitation of this vulnerability allows for remote code execution on the system where conda-forge-metadata is installed.

Reproduction

The vulnerability can be reproduced by installing the conda-forge-metadata package with the 'oci' optional dependency. This can be done using the command 'pip install conda-forge-metadata[oci]'. Once installed, the malicious dependency conda-oci-mirror can be exploited to execute arbitrary code.

Remediation

To address this vulnerability, remove conda-oci-mirror from the optional dependencies section of the conda-forge-metadata pyproject.toml file. If the dependency is removed entirely, it should also be deleted from the requirements.txt file.