Skip to content

feat(threat_intel): add conda/pixi supply-chain catalogs (CVE-2025-27510 + 7ASecurity audit cluster)#37

Closed
jviehhauser wants to merge 2 commits into
perplexityai:mainfrom
jviehhauser:jv/conda-forge-metadata-catalog
Closed

feat(threat_intel): add conda/pixi supply-chain catalogs (CVE-2025-27510 + 7ASecurity audit cluster)#37
jviehhauser wants to merge 2 commits into
perplexityai:mainfrom
jviehhauser:jv/conda-forge-metadata-catalog

Conversation

@jviehhauser
Copy link
Copy Markdown

@jviehhauser jviehhauser commented May 28, 2026
edited
Loading

Summary

Adds two exposure catalogs covering the conda/pixi supply chain, sourced from public GHSAs / CVEs / the conda-forge 2025 security audit.

threat_intel/conda-forge-metadata-2025-03-04.json — PyPI

One entry, ecosystem pypi:

  • CVE-2025-27510 / GHSA-vwfh-m3q7-9jpwconda-forge-metadata ≤0.4.1 dependency-confusion RCE via the unregistered conda-oci-mirror optional dep ([oci] extras). CVSS 9.3 critical, published 2025-03-04. Fixed upstream by claiming the placeholder PyPI name (no version bump on conda-forge-metadata itself); affected installed releases are 0.3.0 and 0.4.1 per PyPI release history.

threat_intel/conda-tooling-7asecurity-2025-06-14.json — Conda

Three entries, ecosystem conda, all published 2025-06-14 from the 7ASecurity OSTIF/STA-sponsored conda-forge audit (March–April 2025):

CVE GHSA Package Affected Patched Severity
CVE-2025-32798 GHSA-6cc8-c3c9-3rgr conda-build ≤25.3.2 25.4.0 high
CVE-2025-32799 GHSA-h499-pxgj-qh5h conda-build ≤25.3.2 25.4.0 high
CVE-2025-49824 GHSA-2xf4-hg9q-m58q conda-smithy ≤3.47.0 3.47.1 medium

These are properly ecosystem: "conda" because both conda-build and conda-smithy have no real PyPI distribution — their PyPI namesakes are inert placeholders that point readers to the conda channel. The advisories only match against conda-meta records produced by the conda scanner added in #36, so these entries are inert until that PR merges. Affected version arrays enumerate every conda-forge release at or below each advisory's <=X.Y.Z cutoff (112 conda-build versions, 228 conda-smithy versions) per the project's laravel-lang-style "enumerate everything affected" convention; lists were pulled from the anaconda.org channel API.

Why these two and not more

I checked harder for additional conda-channel compromises before settling on this set:

  • CVE-2025-31484 (conda-forge token exposure, Feb–Apr 2025) — the conda-forge postmortem found no shipped malicious packages, so there is nothing to catalog as on-disk presence.
  • CVE-2024-3094 (xz-utils backdoor) — conda-forge confirmed unaffected (last xz build was 5.2.9, predating the 5.6.x backdoored series).
  • CVE-2025-35471 (Miniforge installer / openssl-feedstock DLL hijack on Windows) — affects the Miniforge installer image, not an installed openssl conda-meta version per se, so it doesn't map to bumblebee's package-presence model.
  • CVE-2025-32784 / -32797 / -49823 / -49842 / -49843 (audit findings on staged-recipes weak permissions, conda-smithy CI hardening, etc.) — process / infra hardening, not shipped-package vulnerabilities.

The conda package manager itself (the conda package) had no relevant GHSA at the time of authoring.

Match verification (local)

Each catalog was loaded through internal/exposure and probed with synthetic records:

# conda-forge-metadata-2025-03-04.json
loaded 1 entries
  pypi/conda-forge-metadata/0.3.0  hits=1
  pypi/conda-forge-metadata/0.4.1  hits=1
  pypi/conda-forge-metadata/0.5.0  hits=0

# conda-tooling-7asecurity-2025-06-14.json
loaded 3 entries
  conda/conda-build/25.3.2     hits=2  (CVE-2025-32798 + CVE-2025-32799)
  conda/conda-build/24.11.2    hits=2
  conda/conda-build/2.0.12     hits=2
  conda/conda-build/25.4.0     hits=0  (patched)
  conda/conda-build/26.5.0     hits=0  (current)
  conda/conda-smithy/3.47.0    hits=1
  conda/conda-smithy/3.12      hits=1  (weird-format version preserved literally)
  conda/conda-smithy/0.1.0dev  hits=1
  conda/conda-smithy/3.47.1    hits=0  (patched)
  conda/conda-smithy/3.62.0    hits=0  (current)
  pypi/conda-build/25.3.2      hits=0  (wrong ecosystem)
  conda/Conda-Build/25.3.2     hits=2  (case-insensitive name match)

Relationship to #36

Independent on the PyPI side (the conda-forge-metadata entry matches against the existing PyPI scanner today). The conda-side entries are declarative data that activates the moment the conda scanner in #36 merges — no further changes needed.

Test plan

  • Both catalog files load via bumblebee scan --exposure-catalog ./threat_intel/... without parse errors
  • Positive and negative match probes pass for every CVE (12 probes total)
  • go test ./internal/exposure passes
  • Real-world spot-check on a host with conda-build / conda-smithy installed

🤖 Generated with Claude Code

jviehhauser and others added 2 commits May 28, 2026 15:22
@jviehhauser @claude
feat(threat_intel): add conda-forge-metadata CVE-2025-27510 exposure …
5952739 
…catalog

Catalogs the GHSA-vwfh-m3q7-9jpw dependency-confusion RCE in
conda-forge-metadata <=0.4.1. The package declares an optional
dependency on `conda-oci-mirror` (an unregistered PyPI name) under its
`[oci]` extras; an attacker who claimed that PyPI name before
conda-forge did could RCE on anyone running
`pip install conda-forge-metadata[oci]`. The fix was applied upstream
by registering the placeholder name, so affected installed releases
(0.3.0 and 0.4.1 — the only two releases at or below 0.4.1 per PyPI
history) remain useful to flag on inventory scans.

Ecosystem is `pypi` because conda-forge-metadata ships via PyPI rather
than via the conda-forge channel. This is the first catalog covering
the conda/pixi tooling supply chain; pixi users picking up conda
tooling via pixi.lock's pypi section, or anyone with a
`pip install conda-forge-metadata` in their environment, would
surface here.

Co-Authored-By: Claude <noreply@anthropic.com>
@jviehhauser @claude
feat(threat_intel): add 7ASecurity audit conda-tooling catalog
396092e 
Adds threat_intel/conda-tooling-7asecurity-2025-06-14.json covering the
three conda-channel-package CVEs published 2025-06-14 from the
7ASecurity OSTIF/STA-sponsored conda-forge audit (March-April 2025):

  - CVE-2025-32798 / GHSA-6cc8-c3c9-3rgr: conda-build <=25.3.2 arbitrary
    code execution via unsafe evaluation of malicious recipe selectors
  - CVE-2025-32799 / GHSA-h499-pxgj-qh5h: conda-build <=25.3.2 Tarslip
    path traversal via crafted tar entry paths
  - CVE-2025-49824 / GHSA-2xf4-hg9q-m58q: conda-smithy <=3.47.0 RSA
    PKCS#1 v1.5 padding-oracle in travis_encrypt_binstar_token

All three are ecosystem:"conda" — the PyPI namesakes are inert
placeholders that point readers to the conda channel, so these
advisories only match against conda-meta records produced by the conda
scanner added in PR perplexityai#36. Affected version arrays enumerate every
conda-forge release at or below each advisory's "<=X.Y.Z" cutoff per
the project convention (112 conda-build versions, 228 conda-smithy
versions), pulled from the anaconda.org channel API.

Match coverage verified locally: every enumerated version produces the
expected hit count (1 or 2 per record), patched versions and current
releases produce zero hits, wrong-ecosystem records do not match, and
case-insensitive name normalization works through the existing
exposure-catalog lowercase fallback.

The broader 7ASecurity audit also produced infrastructure-level CVEs
(CVE-2025-31484 anaconda.org token exposure, CVE-2025-49823
staged-recipes weak permissions, CVE-2025-32784/-32797 conda-smithy CI
hardening) which are not catalogable as on-disk package presence; see
https://conda-forge.org/blog/2025/07/16/security-audit/ for the full
audit summary.

Co-Authored-By: Claude <noreply@anthropic.com>
@jviehhauser jviehhauser changed the title feat(threat_intel): add conda-forge-metadata CVE-2025-27510 catalog feat(threat_intel): add conda/pixi supply-chain catalogs (CVE-2025-27510 + 7ASecurity audit cluster) May 28, 2026
@jviehhauser jviehhauser mentioned this pull request May 28, 2026
Open
6 tasks
@jviehhauser
Copy link
Copy Markdown
Author

jviehhauser commented May 28, 2026

Folded into #36 — the two catalogs were cherry-picked onto jv/conda-ecosystem because the conda-channel entries are inert without the conda scanner. See #36 for the combined PR; the catalog commits are preserved with their original messages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jviehhauser