Impact
What kind of vulnerability is it? Who is impacted?
The write_token function in .github/workflows/scripts/create_feedstocks.py creates files with permissions exceeding 0o600, allowing read and write access beyond the intended user/owner. This violates the principle of least privilege, which mandates restricting file permissions to the minimum necessary. An attacker could exploit this to access configuration files in shared hosting environments. Enforcing strict file permissions mitigates risks such as information disclosure and unauthorized code execution.
Patches
Has the problem been patched? What versions should users upgrade to?
The pipelines have been patched as of 2025-03-30.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
Found by audit conducted by 7a Security in partnership with OSTIF
Impact
What kind of vulnerability is it? Who is impacted?
The
write_tokenfunction in.github/workflows/scripts/create_feedstocks.pycreates files with permissions exceeding 0o600, allowing read and write access beyond the intended user/owner. This violates the principle of least privilege, which mandates restricting file permissions to the minimum necessary. An attacker could exploit this to access configuration files in shared hosting environments. Enforcing strict file permissions mitigates risks such as information disclosure and unauthorized code execution.Patches
Has the problem been patched? What versions should users upgrade to?
The pipelines have been patched as of 2025-03-30.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
Found by audit conducted by 7a Security in partnership with OSTIF