Critical severityNVD Advisory· Published Mar 4, 2025· Updated Apr 15, 2026

CVE-2025-27510

Description

conda-forge-metadata provides programatic access to conda-forge's metadata. conda-forge-metadata uses an optional dependency - "conda-oci-mirror" which was neither present on the PyPi repository nor registered by any entity. If conda-oci-mirror is taken over by a threat actor, it can result in remote code execution.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/conda-forge/conda-forge-metadata/blob/799aee36b21ee06289d73d57838b28201f5a57af/pyproject.tomlnvd
github.com/conda-forge/conda-forge-metadata/security/advisories/GHSA-vwfh-m3q7-9jpwnvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.005
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000