Vulnerabilites related to NixOS - nix
CVE-2025-52991 (GCVE-0-2025-52991)
Vulnerability from cvelistv5
Published
2025-06-27 00:00
Modified
2025-06-27 15:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-276 - Incorrect Default Permissions
Summary
The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data manipulation. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52991",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-27T15:21:20.719431Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T15:46:39.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nix",
"vendor": "NixOS",
"versions": [
{
"lessThan": "2.24.15",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2.26.4",
"status": "affected",
"version": "2.25.0",
"versionType": "semver"
},
{
"lessThan": "2.28.4",
"status": "affected",
"version": "2.27.0",
"versionType": "semver"
},
{
"lessThan": "2.29.1",
"status": "affected",
"version": "2.29.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.24.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.26.4",
"versionStartIncluding": "2.25.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.28.4",
"versionStartIncluding": "2.27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29.1",
"versionStartIncluding": "2.29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data manipulation. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.2,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T13:30:32.480Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017"
},
{
"url": "https://lix.systems/blog/2025-06-24-lix-cves/"
},
{
"url": "https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/"
},
{
"url": "https://security.snyk.io/vuln/?search=CVE-2025-52991"
},
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-52991"
},
{
"url": "https://labs.snyk.io"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-52991",
"datePublished": "2025-06-27T00:00:00.000Z",
"dateReserved": "2025-06-23T00:00:00.000Z",
"dateUpdated": "2025-06-27T15:46:39.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46416 (GCVE-0-2025-46416)
Vulnerability from cvelistv5
Published
2025-06-27 00:00
Modified
2025-06-27 15:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-282 - Improper Ownership Management
Summary
The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld or guixbuild). This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46416",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-27T15:48:56.617817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T15:49:08.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Nix",
"vendor": "NixOS",
"versions": [
{
"lessThanOrEqual": "2.24.15",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.26.4",
"status": "affected",
"version": "2.25.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.28.4",
"status": "affected",
"version": "2.27.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.29.1",
"status": "affected",
"version": "2.29.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.24.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.26.4",
"versionStartIncluding": "2.25.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.28.4",
"versionStartIncluding": "2.27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.29.1",
"versionStartIncluding": "2.29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld or guixbuild). This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-282",
"description": "CWE-282 Improper Ownership Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T13:27:26.570Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017"
},
{
"url": "https://lix.systems/blog/2025-06-24-lix-cves/"
},
{
"url": "https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/"
},
{
"url": "https://labs.snyk.io"
},
{
"url": "https://security.snyk.io/vuln/?search=CVE-2025-46416"
},
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-46416"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-46416",
"datePublished": "2025-06-27T00:00:00.000Z",
"dateReserved": "2025-04-24T00:00:00.000Z",
"dateUpdated": "2025-06-27T15:49:08.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51481 (GCVE-0-2024-51481)
Vulnerability from cvelistv5
Published
2024-10-31 16:10
Modified
2024-10-31 16:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-693 - Protection Mechanism Failure
Summary
Nix is a package manager for Linux and other Unix systems. On macOS, built-in builders (such as `builtin:fetchurl`, exposed to users with `import <nix/fetchurl.nix>`) were not executed in the macOS sandbox. Thus, these builders (which are running under the `nixbld*` users) had read access to world-readable paths and write access to world-writable paths outside of the sandbox. This issue is fixed in 2.18.9, 2.19.7, 2.20.9, 2.21.5, 2.22.4, 2.23.4, and 2.24.10. Note that sandboxing is not enabled by default on macOS. The Nix sandbox is not primarily intended as a security mechanism, but as an aid to improve reproducibility and purity of Nix builds. However, sandboxing *can* mitigate the impact of other security issues by limiting what parts of the host system a build has access to.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51481",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-31T16:51:51.261407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T16:51:59.101Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nix",
"vendor": "NixOS",
"versions": [
{
"status": "affected",
"version": "\u003c 2.18.9"
},
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.19.7, 2.20.9, 2.21.5, 2.22.4, 2.23.4, 2.24.10"
},
{
"status": "affected",
"version": "\u003e= 2.20.0, \u003c 2.20.9"
},
{
"status": "affected",
"version": "\u003e= 2.21.0, \u003c 2.21.5"
},
{
"status": "affected",
"version": "\u003e= 2.22.0, \u003c 2.22.4"
},
{
"status": "affected",
"version": "\u003e= 2.23.0, \u003c 2.23.4"
},
{
"status": "affected",
"version": "\u003e= 2.24.0, \u003c 2.24.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nix is a package manager for Linux and other Unix systems. On macOS, built-in builders (such as `builtin:fetchurl`, exposed to users with `import \u003cnix/fetchurl.nix\u003e`) were not executed in the macOS sandbox. Thus, these builders (which are running under the `nixbld*` users) had read access to world-readable paths and write access to world-writable paths outside of the sandbox. This issue is fixed in 2.18.9, 2.19.7, 2.20.9, 2.21.5, 2.22.4, 2.23.4, and 2.24.10. Note that sandboxing is not enabled by default on macOS. The Nix sandbox is not primarily intended as a security mechanism, but as an aid to improve reproducibility and purity of Nix builds. However, sandboxing *can* mitigate the impact of other security issues by limiting what parts of the host system a build has access to."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 1,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T16:10:22.398Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NixOS/nix/security/advisories/GHSA-wf4c-57rh-9pjg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NixOS/nix/security/advisories/GHSA-wf4c-57rh-9pjg"
},
{
"name": "https://github.com/NixOS/nix/commit/597fcc98e18e3178734d06a9e7306250e8cb8d74",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nix/commit/597fcc98e18e3178734d06a9e7306250e8cb8d74"
}
],
"source": {
"advisory": "GHSA-wf4c-57rh-9pjg",
"discovery": "UNKNOWN"
},
"title": "Nix allows macOS sandbox escape via built-in builders"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51481",
"datePublished": "2024-10-31T16:10:22.398Z",
"dateReserved": "2024-10-28T14:20:59.335Z",
"dateUpdated": "2024-10-31T16:51:59.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52993 (GCVE-0-2025-52993)
Vulnerability from cvelistv5
Published
2025-06-27 00:00
Modified
2025-06-27 15:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Summary
A race condition in the Nix, Lix, and Guix package managers enables changing the ownership of arbitrary files to the UID and GID of the build user (e.g., nixbld* or guixbuild*). This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52993",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-27T14:59:31.536727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T15:04:24.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nix",
"vendor": "NixOS",
"versions": [
{
"lessThan": "2.24.15",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2.26.4",
"status": "affected",
"version": "2.25.0",
"versionType": "semver"
},
{
"lessThan": "2.28.4",
"status": "affected",
"version": "2.27.0",
"versionType": "semver"
},
{
"lessThan": "2.29.1",
"status": "affected",
"version": "2.29.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.24.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.26.4",
"versionStartIncluding": "2.25.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.28.4",
"versionStartIncluding": "2.27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29.1",
"versionStartIncluding": "2.29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A race condition in the Nix, Lix, and Guix package managers enables changing the ownership of arbitrary files to the UID and GID of the build user (e.g., nixbld* or guixbuild*). This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T13:36:03.468Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017"
},
{
"url": "https://lix.systems/blog/2025-06-24-lix-cves/"
},
{
"url": "https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/"
},
{
"url": "https://labs.snyk.io"
},
{
"url": "https://security.snyk.io/vuln/?search=CVE-2025-52993"
},
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-52993"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-52993",
"datePublished": "2025-06-27T00:00:00.000Z",
"dateReserved": "2025-06-23T00:00:00.000Z",
"dateUpdated": "2025-06-27T15:04:24.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47174 (GCVE-0-2024-47174)
Vulnerability from cvelistv5
Published
2024-09-26 17:27
Modified
2024-09-26 17:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, `<nix/fetchurl.nix>` did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. `<nix/fetchurl.nix>` is also known as the builtin derivation builder `builtin:fetchurl`. It's not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue. A user may be affected by the risk of leaking credentials if they have a `netrc` file for authentication, or rely on derivations with `impureEnvVars` set to use credentials from the environment. In addition, the commonplace trust-on-first-use (TOFU) technique of updating dependencies by specifying an invalid hash and obtaining it from a remote store was also vulnerable to a MITM injecting arbitrary store objects. This also applied to the impure derivations experimental feature. Note that this may also happen when using Nixpkgs fetchers to obtain new hashes when not using the fake hash method, although that mechanism is not implemented in Nix itself but rather in Nixpkgs using a fixed-output derivation. The behavior was introduced in version 1.11 to make it consistent with the Nixpkgs `pkgs.fetchurl` and to make `<nix/fetchurl.nix>` work in the derivation builder sandbox, which back then did not have access to the CA bundles by default. Nowadays, CA bundles are bind-mounted on Linux. This issue has been fixed in Nix 2.18.8 and 2.24.8. As a workaround, implement (authenticated) fetching with `pkgs.fetchurl` from Nixpkgs, using `impureEnvVars` and `curlOpts` as needed.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47174",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T17:49:17.234874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T17:49:28.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nix",
"vendor": "NixOS",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.11, \u003c 2.18.8"
},
{
"status": "affected",
"version": "\u003e= 2.24.0, \u003c 2.24.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, `\u003cnix/fetchurl.nix\u003e` did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. `\u003cnix/fetchurl.nix\u003e` is also known as the builtin derivation builder `builtin:fetchurl`. It\u0027s not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue. A user may be affected by the risk of leaking credentials if they have a `netrc` file for authentication, or rely on derivations with `impureEnvVars` set to use credentials from the environment. In addition, the commonplace trust-on-first-use (TOFU) technique of updating dependencies by specifying an invalid hash and obtaining it from a remote store was also vulnerable to a MITM injecting arbitrary store objects. This also applied to the impure derivations experimental feature. Note that this may also happen when using Nixpkgs fetchers to obtain new hashes when not using the fake hash method, although that mechanism is not implemented in Nix itself but rather in Nixpkgs using a fixed-output derivation. The behavior was introduced in version 1.11 to make it consistent with the Nixpkgs `pkgs.fetchurl` and to make `\u003cnix/fetchurl.nix\u003e` work in the derivation builder sandbox, which back then did not have access to the CA bundles by default. Nowadays, CA bundles are bind-mounted on Linux. This issue has been fixed in Nix 2.18.8 and 2.24.8. As a workaround, implement (authenticated) fetching with `pkgs.fetchurl` from Nixpkgs, using `impureEnvVars` and `curlOpts` as needed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T17:27:53.966Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NixOS/nix/security/advisories/GHSA-6fjr-mq49-mm2c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NixOS/nix/security/advisories/GHSA-6fjr-mq49-mm2c"
},
{
"name": "https://github.com/NixOS/nix/pull/11585",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nix/pull/11585"
},
{
"name": "https://github.com/NixOS/nix/commit/062b4a489e30da9c85fa4ff15cfdd2e51cac7b90",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nix/commit/062b4a489e30da9c85fa4ff15cfdd2e51cac7b90"
},
{
"name": "https://github.com/NixOS/nix/commit/5db358d4d78aea7204a8f22c5bf2a309267ee038",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nix/commit/5db358d4d78aea7204a8f22c5bf2a309267ee038"
}
],
"source": {
"advisory": "GHSA-6fjr-mq49-mm2c",
"discovery": "UNKNOWN"
},
"title": "Credential leak when credentials are used with `\u003cnix/fetchurl.nix\u003e`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47174",
"datePublished": "2024-09-26T17:27:53.966Z",
"dateReserved": "2024-09-19T22:32:11.961Z",
"dateUpdated": "2024-09-26T17:49:28.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52992 (GCVE-0-2025-52992)
Vulnerability from cvelistv5
Published
2025-06-27 00:00
Modified
2025-06-27 15:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Summary
The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the content of a store outside of the build sandbox. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-27T15:17:46.777042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T15:18:30.716Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nix",
"vendor": "NixOS",
"versions": [
{
"lessThan": "2.24.15",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2.26.4",
"status": "affected",
"version": "2.25.0",
"versionType": "semver"
},
{
"lessThan": "2.28.4",
"status": "affected",
"version": "2.27.0",
"versionType": "semver"
},
{
"lessThan": "2.29.1",
"status": "affected",
"version": "2.29.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.24.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.26.4",
"versionStartIncluding": "2.25.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.28.4",
"versionStartIncluding": "2.27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29.1",
"versionStartIncluding": "2.29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the content of a store outside of the build sandbox. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.2,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T13:33:22.543Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017"
},
{
"url": "https://lix.systems/blog/2025-06-24-lix-cves/"
},
{
"url": "https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/"
},
{
"url": "https://labs.snyk.io"
},
{
"url": "https://security.snyk.io/vuln/?search=CVE-2025-52992"
},
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-52992"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-52992",
"datePublished": "2025-06-27T00:00:00.000Z",
"dateReserved": "2025-06-23T00:00:00.000Z",
"dateUpdated": "2025-06-27T15:18:30.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27297 (GCVE-0-2024-27297)
Vulnerability from cvelistv5
Published
2024-03-11 21:24
Modified
2025-06-27 12:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Summary
Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as "valid" and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27297",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-12T18:38:57.385291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:46:24.214Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-06-27T12:16:28.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/"
},
{
"name": "https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37"
},
{
"name": "https://github.com/NixOS/nix/commit/f8170ce9f119e5e6724eb81ff1b5a2d4c0024000",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/NixOS/nix/commit/f8170ce9f119e5e6724eb81ff1b5a2d4c0024000"
},
{
"name": "https://hackmd.io/03UGerewRcy3db44JQoWvw",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackmd.io/03UGerewRcy3db44JQoWvw"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"product": "nix",
"vendor": "NixOS",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 2.3.18"
},
{
"status": "affected",
"version": "\u003e= 2.4.0, \u003c 2.18.2"
},
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.19.4"
},
{
"status": "affected",
"version": "\u003e= 2.20.0, \u003c 2.20.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as \"valid\" and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-11T21:25:51.065Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37"
},
{
"name": "https://github.com/NixOS/nix/commit/f8170ce9f119e5e6724eb81ff1b5a2d4c0024000",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nix/commit/f8170ce9f119e5e6724eb81ff1b5a2d4c0024000"
},
{
"name": "https://hackmd.io/03UGerewRcy3db44JQoWvw",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackmd.io/03UGerewRcy3db44JQoWvw"
}
],
"source": {
"advisory": "GHSA-2ffj-w4mj-pg37",
"discovery": "UNKNOWN"
},
"title": "Nix Corruption of fixed-output derivations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27297",
"datePublished": "2024-03-11T21:24:43.919Z",
"dateReserved": "2024-02-22T18:08:38.874Z",
"dateUpdated": "2025-06-27T12:16:28.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53819 (GCVE-0-2025-53819)
Vulnerability from cvelistv5
Published
2025-07-14 20:42
Modified
2025-07-15 19:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-271 - Privilege Dropping / Lowering Errors
Summary
Nix is a package manager for Linux and other Unix systems. Builds with Nix 2.30.0 on macOS were executed with elevated privileges (root), instead of the build users. The fix was applied to Nix 2.30.1. No known workarounds are available.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53819",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:55:22.262473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T19:50:28.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nix",
"vendor": "NixOS",
"versions": [
{
"status": "affected",
"version": "= 2.30.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nix is a package manager for Linux and other Unix systems. Builds with Nix 2.30.0 on macOS were executed with elevated privileges (root), instead of the build users. The fix was applied to Nix 2.30.1. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-271",
"description": "CWE-271: Privilege Dropping / Lowering Errors",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T20:42:12.818Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NixOS/nix/security/advisories/GHSA-qc7j-jgf3-qmhg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NixOS/nix/security/advisories/GHSA-qc7j-jgf3-qmhg"
},
{
"name": "https://github.com/NixOS/nix/pull/13281",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nix/pull/13281"
},
{
"name": "https://github.com/NixOS/nix/pull/13455",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nix/pull/13455"
},
{
"name": "https://github.com/NixOS/nix/commit/e2ef2cfcbc83ea01308ee64c38a58707ab23dec3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nix/commit/e2ef2cfcbc83ea01308ee64c38a58707ab23dec3"
}
],
"source": {
"advisory": "GHSA-qc7j-jgf3-qmhg",
"discovery": "UNKNOWN"
},
"title": "Nix\u0027s privilege dropping to build user broke for macOS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53819",
"datePublished": "2025-07-14T20:42:12.818Z",
"dateReserved": "2025-07-09T14:14:52.529Z",
"dateUpdated": "2025-07-15T19:50:28.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17365 (GCVE-0-2019-17365)
Vulnerability from cvelistv5
Published
2019-10-09 21:19
Modified
2024-08-05 01:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Nix through 2.3 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:15.250Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/09/4"
},
{
"name": "[oss-security] 20191010 Re: CVE-2019-17365: Nix per-user profile directory hijack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/10/1"
},
{
"name": "[oss-security] 20191017 CVE-2019-18192: Insecure permissions on Guix profile directory",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/17/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-10-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Nix through 2.3 allows local users to gain access to an arbitrary user\u0027s account because the parent directory of the user-profile directories is world writable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-17T23:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/09/4"
},
{
"name": "[oss-security] 20191010 Re: CVE-2019-17365: Nix per-user profile directory hijack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/10/1"
},
{
"name": "[oss-security] 20191017 CVE-2019-18192: Insecure permissions on Guix profile directory",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/17/3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17365",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nix through 2.3 allows local users to gain access to an arbitrary user\u0027s account because the parent directory of the user-profile directories is world writable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.openwall.com/lists/oss-security/2019/10/09/4",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2019/10/09/4"
},
{
"name": "[oss-security] 20191010 Re: CVE-2019-17365: Nix per-user profile directory hijack",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/10/10/1"
},
{
"name": "[oss-security] 20191017 CVE-2019-18192: Insecure permissions on Guix profile directory",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/10/17/3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17365",
"datePublished": "2019-10-09T21:19:13",
"dateReserved": "2019-10-09T00:00:00",
"dateUpdated": "2024-08-05T01:40:15.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46415 (GCVE-0-2025-46415)
Vulnerability from cvelistv5
Published
2025-06-27 00:00
Modified
2025-06-27 19:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Summary
A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46415",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-27T19:57:42.327675Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T19:57:56.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nix",
"vendor": "NixOS",
"versions": [
{
"lessThan": "2.24.15",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2.26.4",
"status": "affected",
"version": "2.25.0",
"versionType": "semver"
},
{
"lessThan": "2.28.4",
"status": "affected",
"version": "2.27.0",
"versionType": "semver"
},
{
"lessThan": "2.29.1",
"status": "affected",
"version": "2.29.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.24.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.26.4",
"versionStartIncluding": "2.25.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.28.4",
"versionStartIncluding": "2.27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29.1",
"versionStartIncluding": "2.29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.2,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T13:23:22.298Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017"
},
{
"url": "https://lix.systems/blog/2025-06-24-lix-cves/"
},
{
"url": "https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/"
},
{
"url": "https://labs.snyk.io"
},
{
"url": "https://security.snyk.io/vuln/?search=CVE-2025-46415"
},
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-46415"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-46415",
"datePublished": "2025-06-27T00:00:00.000Z",
"dateReserved": "2025-04-24T00:00:00.000Z",
"dateUpdated": "2025-06-27T19:57:56.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38531 (GCVE-0-2024-38531)
Vulnerability from cvelistv5
Published
2024-06-28 13:18
Modified
2024-08-02 04:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-278 - Insecure Preserved Inherited Permissions
Summary
Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can assume the permissions of a Nix daemon worker and hijack all future builds. This issue was patched in version(s) 2.23.1, 2.22.2, 2.21.3, 2.20.7, 2.19.5 and 2.18.4.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38531",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-05T15:26:22.607904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T19:37:03.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:25.386Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/NixOS/nix/security/advisories/GHSA-q82p-44mg-mgh5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/NixOS/nix/security/advisories/GHSA-q82p-44mg-mgh5"
},
{
"name": "https://github.com/NixOS/nix/pull/10501",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/NixOS/nix/pull/10501"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "nix",
"vendor": "NixOS",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.23.0, \u003c 2.23.1"
},
{
"status": "affected",
"version": "\u003e= 2.22.0, \u003c 2.22.2"
},
{
"status": "affected",
"version": "\u003e= 2.21.0, \u003c 2.21.3"
},
{
"status": "affected",
"version": "\u003e= 2.20.0, \u003c 2.20.7"
},
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.19.5"
},
{
"status": "affected",
"version": "\u003e= 2.18.0, \u003c 2.18.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can assume the permissions of a Nix daemon worker and hijack all future builds. This issue was patched in version(s) 2.23.1, 2.22.2, 2.21.3, 2.20.7, 2.19.5 and 2.18.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-278",
"description": "CWE-278: Insecure Preserved Inherited Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-28T13:18:58.604Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NixOS/nix/security/advisories/GHSA-q82p-44mg-mgh5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NixOS/nix/security/advisories/GHSA-q82p-44mg-mgh5"
},
{
"name": "https://github.com/NixOS/nix/pull/10501",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nix/pull/10501"
}
],
"source": {
"advisory": "GHSA-q82p-44mg-mgh5",
"discovery": "UNKNOWN"
},
"title": "Nix sandbox escape"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38531",
"datePublished": "2024-06-28T13:18:58.604Z",
"dateReserved": "2024-06-18T16:37:02.729Z",
"dateUpdated": "2024-08-02T04:12:25.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45593 (GCVE-0-2024-45593)
Vulnerability from cvelistv5
Published
2024-09-10 15:51
Modified
2024-09-10 16:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Nix is a package manager for Linux and other Unix systems. A bug in Nix 2.24 prior to 2.24.6 allows a substituter or malicious user to craft a NAR that, when unpacked by Nix, causes Nix to write to arbitrary file system locations to which the Nix process has access. This will be with root permissions when using the Nix daemon. This issue is fixed in Nix 2.24.6.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:nixos:nix:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nix",
"vendor": "nixos",
"versions": [
{
"lessThan": "2.24.6",
"status": "affected",
"version": "2.24.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:03:03.600877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T16:06:16.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nix",
"vendor": "NixOS",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.24.0, \u003c 2.24.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nix is a package manager for Linux and other Unix systems. A bug in Nix 2.24 prior to 2.24.6 allows a substituter or malicious user to craft a NAR that, when unpacked by Nix, causes Nix to write to arbitrary file system locations to which the Nix process has access. This will be with root permissions when using the Nix daemon. This issue is fixed in Nix 2.24.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T15:51:07.881Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NixOS/nix/security/advisories/GHSA-h4vv-h3jq-v493",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NixOS/nix/security/advisories/GHSA-h4vv-h3jq-v493"
},
{
"name": "https://github.com/NixOS/nix/commit/eb11c1499876cd4c9c188cbda5b1003b36ce2e59",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nix/commit/eb11c1499876cd4c9c188cbda5b1003b36ce2e59"
}
],
"source": {
"advisory": "GHSA-h4vv-h3jq-v493",
"discovery": "UNKNOWN"
},
"title": "Nix affected by unsafe NAR unpacking"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45593",
"datePublished": "2024-09-10T15:51:07.881Z",
"dateReserved": "2024-09-02T16:00:02.423Z",
"dateUpdated": "2024-09-10T16:06:16.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-10-09 22:15
Modified
2025-01-15 14:29
Severity ?
Summary
Nix through 2.3 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2019/10/09/4 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2019/10/10/1 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2019/10/17/3 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2019/10/09/4 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2019/10/10/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2019/10/17/3 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "41CBEDE7-C5CA-4533-8F81-940E20658FDF",
"versionEndIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nix through 2.3 allows local users to gain access to an arbitrary user\u0027s account because the parent directory of the user-profile directories is world writable."
},
{
"lang": "es",
"value": "Nix versiones hasta 2.3, permite a usuarios locales conseguir acceso a la cuenta de un usuario arbitrario porque el directorio principal de los directorios de perfil de usuario son de tipo world writable."
}
],
"id": "CVE-2019-17365",
"lastModified": "2025-01-15T14:29:23.370",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-09T22:15:10.670",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/09/4"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/10/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/17/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/09/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/10/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/17/3"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-11 22:15
Modified
2025-06-27 13:15
Severity ?
6.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as "valid" and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/NixOS/nix/commit/f8170ce9f119e5e6724eb81ff1b5a2d4c0024000 | Patch | |
| security-advisories@github.com | https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 | Vendor Advisory | |
| security-advisories@github.com | https://hackmd.io/03UGerewRcy3db44JQoWvw | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/NixOS/nix/commit/f8170ce9f119e5e6724eb81ff1b5a2d4c0024000 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://hackmd.io/03UGerewRcy3db44JQoWvw | Exploit |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "47601C02-77F2-4F60-9077-298221CA12F5",
"versionEndExcluding": "2.3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0BD193CF-30E0-4583-AA03-101B1488A973",
"versionEndExcluding": "2.18.2",
"versionStartIncluding": "2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "69B51F29-3651-4418-B41A-847576A31C5A",
"versionEndExcluding": "2.19.4",
"versionStartIncluding": "2.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2C2A184D-2C19-4A49-BF6A-44EC5C89C156",
"versionEndExcluding": "2.20.5",
"versionStartIncluding": "2.20.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as \"valid\" and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Nix es un administrador de paquetes para Linux y otros sistemas Unix. Una derivaci\u00f3n de salida fija en Linux puede enviar descriptores de archivos en el almac\u00e9n Nix a otro programa que se ejecuta en el host (u otra derivaci\u00f3n de salida fija) a trav\u00e9s de sockets de dominio Unix en el espacio de nombres abstracto. Esto permite modificar la salida de la derivaci\u00f3n, despu\u00e9s de que Nix haya registrado la ruta como \"v\u00e1lida\" e inmutable en la base de datos de Nix. En particular, esto permite modificar la salida de derivaciones de salida fija respecto de su contenido esperado. Este problema se solucion\u00f3 en las versiones 2.3.18 2.18.2 2.19.4 y 2.20.5. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-27297",
"lastModified": "2025-06-27T13:15:23.240",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-11T22:15:55.277",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/NixOS/nix/commit/f8170ce9f119e5e6724eb81ff1b5a2d4c0024000"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit"
],
"url": "https://hackmd.io/03UGerewRcy3db44JQoWvw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/NixOS/nix/commit/f8170ce9f119e5e6724eb81ff1b5a2d4c0024000"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://hackmd.io/03UGerewRcy3db44JQoWvw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-367"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-367"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-10 16:15
Modified
2025-01-15 14:29
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Nix is a package manager for Linux and other Unix systems. A bug in Nix 2.24 prior to 2.24.6 allows a substituter or malicious user to craft a NAR that, when unpacked by Nix, causes Nix to write to arbitrary file system locations to which the Nix process has access. This will be with root permissions when using the Nix daemon. This issue is fixed in Nix 2.24.6.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29F960E4-D262-4A4B-A212-709CB43F1325",
"versionEndExcluding": "2.24.6",
"versionStartIncluding": "2.24.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nix is a package manager for Linux and other Unix systems. A bug in Nix 2.24 prior to 2.24.6 allows a substituter or malicious user to craft a NAR that, when unpacked by Nix, causes Nix to write to arbitrary file system locations to which the Nix process has access. This will be with root permissions when using the Nix daemon. This issue is fixed in Nix 2.24.6."
},
{
"lang": "es",
"value": "Nix es un gestor de paquetes para Linux y otros sistemas Unix. Un error en Nix 2.24 anterior a 2.24.6 permite que un sustituto o un usuario malintencionado cree un NAR que, cuando Nix lo descomprime, hace que Nix escriba en ubicaciones arbitrarias del sistema de archivos a las que el proceso Nix tiene acceso. Esto se har\u00e1 con permisos de superusuario cuando se utilice el daemon Nix. Este problema se solucion\u00f3 en Nix 2.24.6."
}
],
"id": "CVE-2024-45593",
"lastModified": "2025-01-15T14:29:23.370",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-10T16:15:21.760",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/NixOS/nix/commit/eb11c1499876cd4c9c188cbda5b1003b36ce2e59"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/NixOS/nix/security/advisories/GHSA-h4vv-h3jq-v493"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}