Impact
What kind of vulnerability is it? Who is impacted?
This project's pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the package, and then exploit pip install commands by injecting the malicious dependency in the solve.
Patches
Has the problem been patched? What versions should users upgrade to?
Yes. As of 25.3.0, pyproject.toml does not list conda-index. Also the name conda-index was claimed on PyPI.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Using --no-deps for pip install-ing the project from the repository.
References
Are there any links users can visit to find out more?
Impact
What kind of vulnerability is it? Who is impacted?
This project's
pyproject.tomllistsconda-indexas a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the package, and then exploitpip installcommands by injecting the malicious dependency in the solve.Patches
Has the problem been patched? What versions should users upgrade to?
Yes. As of 25.3.0,
pyproject.tomldoes not listconda-index. Also the nameconda-indexwas claimed on PyPI.Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Using
--no-depsforpip install-ing the project from the repository.References
Are there any links users can visit to find out more?