Conda-Forge Webservices Race Condition Vulnerability Allowing Unauthorized Artifact Modifications

A race condition vulnerability has been identified in the conda-forge-webservices component, used within the shared build infrastructure, in versions prior to 2025.4.10. This vulnerability is categorized as a Time-of-Check to Time-of-Use (TOCTOU) issue and can be exploited to introduce unauthorized modifications to build artifacts stored in the cf-staging Anaconda channel. Exploitation may result in the unauthorized publication of malicious artifacts to the production conda-forge channel. The vulnerability arises from the lack of atomicity between hash validation and the artifact copying process, allowing an attacker with access to the cf-staging token to overwrite a validated artifact with a malicious version just after the hash verification but before the copy operation is executed. The cf-staging channel allows artifact overwrites, which can be done using the anaconda upload --force command.

Impact

Exploitation of this vulnerability could lead to the unauthorized modification of build artifacts, allowing malicious packages to be published to the production conda-forge channel, where they could be installed by users.

Reproduction

To reproduce this vulnerability, an attacker must have access to the cf-staging token and wait for a legitimate build event that triggers the conda-forge-webservices copy process. Once the hash validation is complete, the attacker can overwrite the artifact with a malicious version before it is copied to the production channel.

Remediation

Users can update to version 2025.4.10 or later to address this vulnerability.