CVE-2025-64343 is a vulnerability in the conda constructor tool, which is used to create installers for conda package collections. Versions 3.12.2 and earlier suffer from an authentication bypass issue due to the way installation directory permissions are inherited from the parent directory. When the parent directory has permissive permissions, such as write access for authenticated users, any logged-in user can modify the installation files during the installation process. This applies to both single-user and all-user installations. In shared directory environments, the permissive permissions persist after installation, allowing ongoing unauthorized modifications. The vulnerability is classified under CWE-289 (Authentication Bypass by Alternate Name) because it effectively allows users with limited privileges to bypass intended access controls by exploiting directory permission inheritance. The CVSS v3.1 base score is 7.8 (high), reflecting the local attack vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits are reported in the wild, the vulnerability poses a significant risk in multi-user environments where conda constructor is used. The issue is resolved in conda constructor version 3.13.0, which presumably corrects the permission inheritance behavior to prevent unauthorized write access during and after installation.

For European organizations, this vulnerability could lead to unauthorized local users modifying conda package installers or installed software, potentially injecting malicious code or disrupting software functionality. This compromises confidentiality, integrity, and availability of software environments relying on conda constructor. Organizations with shared systems or multi-user environments, such as universities, research institutions, and enterprises using conda for data science or software deployment, are particularly at risk. The persistence of permissive permissions after installation in shared directories increases the risk of ongoing unauthorized access and tampering. This could facilitate privilege escalation, supply chain compromise, or lateral movement within networks. The impact is heightened in environments where conda packages are used to deploy critical applications or sensitive data processing pipelines. Given the widespread use of conda in scientific and development communities across Europe, the vulnerability could affect a broad range of sectors including academia, healthcare, finance, and technology.

European organizations should immediately upgrade conda constructor to version 3.13.0 or later to remediate the vulnerability. Until upgrades are applied, restrict write permissions on parent directories used for conda installations to trusted administrators only, preventing unauthorized users from modifying installation directories. Implement strict access controls and auditing on shared directories where conda is installed. Use filesystem permissions and access control lists (ACLs) to enforce least privilege principles. Consider isolating conda installations to user-specific directories with controlled access rather than shared locations. Regularly monitor and verify integrity of installed conda packages and installers to detect unauthorized changes. Incorporate this vulnerability into local security awareness and incident response plans, emphasizing the risk of local privilege escalation via installation tampering. Finally, maintain up-to-date inventories of conda constructor versions deployed across the organization to ensure timely patching.