Skip to main content

Security Incident with Package Uploads (CVE-2025-31484)

· 2 min read
conda-forge/core
conda-forge/core
The conda-forge core team

In the past few months, conda-forge has been engaging with an external security audit in collaboration with the Open Source Technology Improvement Fund (OSTIF). The full results of this audit will be made public once it is complete per OSTIF responsible disclosure policies.

During this process, OSTIF and their contractor uncovered misconfigured infrastructure which exposed the anaconda.org token for the conda-forge channel to all feedstock maintainers. The token was exposed from on or about 2025-02-10 through 2025-04-01. See our GitHub Security Advisory for more details.

We have requested a CVE from GitHub and will amend this announcement once it is issued. Our response to this incident is detailed below, but TL;DR, as best as can reasonably be determined, no packages were compromised during this time.

Thank you for using conda-forge, please contact us if you have further questions, and please follow our security process for responsible reporting of vulnerabilities.

Finally, as a reminder, conda-forge packages are built by strangers on the internet (our wonderful feedstock maintainers!) and are not suitable for use cases that require secure software provenance.

Response timeline

The timeline and details of our response to this security incident are as follows:

  • 2025-04-01 13:35 UTC: OSTIF and their contractor notified conda-forge of the leaked token.
  • 2025-04-01 14:00 UTC: The conda-forge/core team acknowledged receipt of the report and started conducting the investigation.
  • 2025-04-01 14:15 UTC: The conda-forge/core team disabled the token and stopped uploads to anaconda.org.
  • 2025-04-01 14:20 UTC: We posted an incident to our status page reporting that uploads were temporarily paused.
  • 2025-04-01 15:19 UTC: We audited all uploads to the conda-forge channel, looking for uploads that bypassed our upload staging process. We did not find any. This check is not completely robust, but it does indicate that nothing was obviously compromised.
  • 2025-04-01 15:53 UTC: We decided to delay disclosure by one day to 2025-04-02 in order to not generate confusion (2025-04-01 is April Fools' Day in some countries when people commonly engage in practical jokes).
  • 2025-04-01 21:39 UTC: We deployed a fix to our infrastructure.
  • 2025-04-01 22:20 UTC: We then deployed a new token to our infrastructure and restarted uploads.
  • 2025-04-01 23:02 UTC: The status page incident was marked as resolved.
  • 2025-04-02: We published this announcement and the advisory. GitHub produced CVE-2025-31484 for us based on our security advisory.