Primary

Context

Conda-Forge Infrastructure Azure Token Misconfiguration Vulnerability

Vulnerability

A vulnerability exists in the conda-forge infrastructure due to a misconfiguration in the Azure deployment process. Between February 10, 2025, and April 1, 2025, the wrong token was used for accessing the 'cf-staging' environment. This error allowed any feedstock maintainer to upload packages directly to the conda-forge channel, bypassing the established token and upload procedures. An investigation into the security logs on anaconda.org revealed no evidence of unauthorized package uploads during this period.

Impact

This vulnerability allowed for unauthorized package uploads to the conda-forge channel, bypassing standard verification processes.

Remediation

The issue has been fixed by updating the Azure variable group to use the correct staging token. Users should ensure that their Azure configurations reflect this change.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Conda-Forge Infrastructure Azure Token Misconfiguration Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating