Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2025-0013
published on
Permalink CVE-2025-10230
10.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 4 months ago by @mweinelt Activity log
  • Created automatic suggestion 4 months, 3 weeks ago
  • @mweinelt ignored package sambamba 4 months ago
  • @mweinelt accepted 4 months ago
  • @mweinelt published on GitHub 4 months ago
Samba: command injection in wins server hook script

A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.

Affected products

rhcos
samba
  • <4.21.9
  • <4.23.2
  • <4.21.5
samba4

Matching in nixpkgs

pkgs.samba

Standard Windows interoperability suite of programs for Linux and Unix

  • nixos-unstable -

pkgs.samba4

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.sambaFull

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba4Full

Standard Windows interoperability suite of programs for Linux and Unix

Ignored packages (1)

Package maintainers

Fixed in:
https://github.com/NixOS/nixpkgs/pull/433796
https://github.com/NixOS/nixpkgs/pull/452396
NIXPKGS-2025-0011
published on
Permalink CVE-2025-11934
updated 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months, 3 weeks ago
  • @LeSuisse accepted 4 months ago
  • @LeSuisse published on GitHub 4 months ago
Improper Validation of Signature Algorithm Used in TLS 1.3 CertificateVerify

Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256.

Affected products

wolfssl
  • ==v5.8.2
  • <5.8.4

Matching in nixpkgs

pkgs.wolfssl

Small, fast, portable implementation of TLS/SSL for embedded devices

Package maintainers

NIXPKGS-2025-0012
published on
Permalink CVE-2025-11935
updated 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months, 3 weeks ago
  • @LeSuisse accepted 4 months ago
  • @LeSuisse published on GitHub 4 months ago
Forward Secrecy Violation in WolfSSL TLS 1.3

With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection.

Affected products

wolfssl
  • ==v5.8.2
  • <5.8.4

Matching in nixpkgs

pkgs.wolfssl

Small, fast, portable implementation of TLS/SSL for embedded devices

Package maintainers

NIXPKGS-2025-0006
published on
Permalink CVE-2025-40928
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 5 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months, 4 weeks ago
  • @LeSuisse ignored
    6 packages
    • perlPackages.CpanelJSONXS
    • perl538Packages.CpanelJSONXS
    • perl540Packages.CpanelJSONXS
    • perlPackages.JSONXSVersionOneAndTwo
    • perl538Packages.JSONXSVersionOneAndTwo
    • perl540Packages.JSONXSVersionOneAndTwo
    5 months, 2 weeks ago
  • @LeSuisse accepted 5 months, 2 weeks ago
  • @LeSuisse published on GitHub 5 months, 2 weeks ago
JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

Affected products

JSON-XS
  • <4.04

Matching in nixpkgs

pkgs.perlPackages.JSONXS

JSON serialising/deserialising, done correctly and fast

  • nixos-unstable -
    • nixpkgs-unstable 4.03
Ignored packages (6)
NIXPKGS-2025-0007
published on
Permalink CVE-2025-40929
5.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 5 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months, 4 weeks ago
  • @LeSuisse accepted 5 months, 2 weeks ago
  • @LeSuisse published on GitHub 5 months, 2 weeks ago
Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

Affected products

Cpanel-JSON-XS
  • <4.40

Matching in nixpkgs

NIXPKGS-2025-0009
published on
Permalink CVE-2025-8941
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 5 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months, 4 weeks ago
  • @LeSuisse ignored
    69 packages
    • ipam
    • opam
    • paml
    • dspam
    • pamix
    • rspamd
    • openpam
    • pam_p11
    • pam_u2f
    • pamixer
    • dopamine
    • pam_krb5
    • sbclPackages.cl-xmlspam
    • python312Packages.pamela
    • python313Packages.pamela
    • stalwart-mail-spam-filter
    • python312Packages.pypamtest
    • python313Packages.pypamtest
    • python312Packages.python-pam
    • python313Packages.python-pam
    • wordpressPackages.plugins.antispam-bee
    • matrix-synapse-plugins.matrix-synapse-pam
    • matrix-synapse-plugins.synapse-http-antispam
    • matrix-synapse-plugins.matrix-synapse-mjolnir-antispam
    • vscode-extensions.fabiospampinato.vscode-open-in-github
    • pam_ssh_agent_auth
    • rubyPackages.rpam2
    • decode-spam-headers
    • haskellPackages.pam
    • luaPackages.lua-pam
    • google-authenticator
    • lua51Packages.lua-pam
    • lua52Packages.lua-pam
    • lua53Packages.lua-pam
    • rubyPackages_3_1.rpam2
    • rubyPackages_3_2.rpam2
    • rubyPackages_3_3.rpam2
    • rubyPackages_3_4.rpam2
    • kdePackages.kwallet-pam
    • opensmtpd-filter-rspamd
    • python312Packages.pamqp
    • python313Packages.pamqp
    • apparmor-pam
    • opam-publish
    • pam-reattach
    • spamassassin
    • nss_pam_ldapd
    • libpam-wrapper
    • opam-installer
    • pam-honeycreds
    • rspamd-trainer
    • pam_ussh
    • pam_rssh
    • pam_ldap
    • pam
    • ncpamixer
    • opam2json
    • pam_dp9ik
    • pam_gnupg
    • pam_mount
    • pam_mysql
    • pam_pgsql
    • pamtester
    • pam_ccreds
    • pam_mktemp
    • pam_rundir
    • pam_tmpdir
    • yubico-pam
    • pam-watchid
    5 months, 2 weeks ago
  • @LeSuisse accepted 5 months, 2 weeks ago
  • @LeSuisse published on GitHub 5 months, 2 weeks ago
Linux-pam: incomplete fix for cve-2025-6020

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

References

Affected products

pam
  • *
linux-pam
discovery/discovery-server-rhel9
  • *
web-terminal/web-terminal-tooling-rhel9
  • *
cert-manager/jetstack-cert-manager-rhel9
  • *
web-terminal/web-terminal-rhel9-operator
  • *
insights-proxy/insights-proxy-container-rhel9
  • *
compliance/openshift-compliance-openscap-rhel8
  • *
openshift-sandboxed-containers/osc-monitor-rhel9
  • *
registry.redhat.io/discovery/discovery-server-rhel9
  • *
openshift-sandboxed-containers/osc-podvm-builder-rhel9
  • *
openshift-sandboxed-containers/osc-podvm-payload-rhel9
  • *
openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9
  • *

Matching in nixpkgs

pkgs.linux-pam

Pluggable Authentication Modules, a flexible mechanism for authenticating user

  • nixos-unstable -
Ignored packages (69)

pkgs.pam

Pluggable Authentication Modules, a flexible mechanism for authenticating user

  • nixos-unstable -

pkgs.ipam

Cli based IPAM written in Go with PowerDNS support

  • nixos-unstable -

pkgs.opam

Package manager for OCaml

  • nixos-unstable -

pkgs.paml

Phylogenetic Analysis by Maximum Likelihood (PAML)

  • nixos-unstable -

pkgs.dspam

Community Driven Antispam Filter

  • nixos-unstable -

pkgs.pamix

Pulseaudio terminal mixer

  • nixos-unstable -
    • nixpkgs-unstable 2.0

pkgs.rspamd

Advanced spam filtering system

  • nixos-unstable -

pkgs.openpam

Open source PAM library that focuses on simplicity, correctness, and cleanliness

  • nixos-unstable -

pkgs.pam_p11

Authentication with PKCS#11 modules

  • nixos-unstable -

pkgs.pam_u2f

PAM module for allowing authentication with a U2F device

  • nixos-unstable -

pkgs.pamixer

Pulseaudio command line mixer

  • nixos-unstable -
    • nixpkgs-unstable 1.6

pkgs.pam_krb5

PAM module allowing PAM-aware applications to authenticate users by performing an AS exchange with a Kerberos KDC

  • nixos-unstable -

pkgs.pam_rssh

PAM module for authenticating via ssh-agent, written in Rust

  • nixos-unstable -

pkgs.ncpamixer

Terminal mixer for PulseAudio inspired by pavucontrol

  • nixos-unstable -

pkgs.opam2json

Convert opam file syntax to JSON

  • nixos-unstable -
    • nixpkgs-unstable 0.4

pkgs.pam_dp9ik

dp9ik pam module

  • nixos-unstable -

pkgs.pam_gnupg

Unlock GnuPG keys on login

  • nixos-unstable -
    • nixpkgs-unstable 0.4

pkgs.pam_mount

PAM module to mount volumes for a user session

  • nixos-unstable -
    • nixpkgs-unstable 2.20

pkgs.pam_mysql

PAM authentication module against a MySQL database

pkgs.pam_pgsql

Support to authenticate against PostgreSQL for PAM-enabled appliations

pkgs.pamtester

Utility program to test the PAM facility

  • nixos-unstable -

pkgs.pam_ccreds

PAM module to locally authenticate using an enterprise identity when the network is unavailable

  • nixos-unstable -
    • nixpkgs-unstable 10

pkgs.pam_mktemp

PAM for login service to provide per-user private directories

  • nixos-unstable -

pkgs.pam_rundir

Provide user runtime directory on Linux systems

  • nixos-unstable -

pkgs.pam_tmpdir

PAM module for creating safe per-user temporary directories

  • nixos-unstable -
    • nixpkgs-unstable 0.09

pkgs.yubico-pam

Yubico PAM module

  • nixos-unstable -
    • nixpkgs-unstable 2.27

pkgs.apparmor-pam

Mandatory access control system - PAM service

  • nixos-unstable -

pkgs.opam-publish

Tool to ease contributions to opam repositories

  • nixos-unstable -

pkgs.pam-reattach

Reattach to the user's GUI session on macOS during authentication (for Touch ID support in tmux)

  • nixos-unstable -
    • nixpkgs-unstable 1.3

pkgs.nss_pam_ldapd

LDAP identity and authentication for NSS/PAM

  • nixos-unstable -

pkgs.opam-installer

Handle (un)installation from opam install files

  • nixos-unstable -

pkgs.pam-honeycreds

PAM module that sends warnings when fake passwords are used

  • nixos-unstable -
    • nixpkgs-unstable 1.9

pkgs.rspamd-trainer

Grabs messages from a spam mailbox via IMAP and feeds them to Rspamd for training

NIXPKGS-2025-0010
published on
Permalink CVE-2025-40920
8.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 5 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months, 4 weeks ago
  • @LeSuisse accepted 5 months, 2 weeks ago
  • @LeSuisse published on GitHub 5 months, 2 weeks ago
Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl use insecurely generated nonces

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.

References

Affected products

Catalyst-Authentication-Credential-HTTP
  • =<1.018

Matching in nixpkgs

NIXPKGS-2025-0008
published on
Permalink CVE-2025-7039
3.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 5 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months, 4 weeks ago
  • @LeSuisse accepted 5 months, 2 weeks ago
  • @LeSuisse ignored
    12 packages
    • bootc
    • loupe
    • rpm-ostree
    • podman-bootc
    • mlxbf-bootctl
    • glycin-loaders
    • systemd-bootchart
    • rubyPackages.glib2
    • rubyPackages_3_1.glib2
    • rubyPackages_3_2.glib2
    • rubyPackages_3_3.glib2
    • rubyPackages_3_4.glib2
    5 months, 2 weeks ago
  • @LeSuisse published on GitHub 5 months, 2 weeks ago
Glib: buffer under-read on glib through glib/gfileutils.c via get_tmp_file()

A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.

References

Affected products

bootc
glib2
loupe
librsvg2
rpm-ostree
mingw-glib2
glycin-loaders
Ignored packages (12)

pkgs.bootc

Boot and upgrade via container images

  • nixos-unstable -

pkgs.loupe

Simple image viewer application written with GTK4 and Rust

  • nixos-unstable -
    • nixpkgs-unstable 48.1

pkgs.rpm-ostree

Hybrid image/package system. It uses OSTree as an image format, and uses RPM as a component model

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.glycin-loaders

Glycin loaders for several formats

  • nixos-unstable -

pkgs.systemd-bootchart

Boot performance graphing tool from systemd

  • nixos-unstable -
    • nixpkgs-unstable 235
NIXPKGS-2025-0004
published on
Permalink CVE-2025-10854
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 5 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months, 3 weeks ago
  • @LeSuisse ignored
    2 packages
    • python312Packages.llama-index-readers-txtai
    • python313Packages.llama-index-readers-txtai
    5 months, 2 weeks ago
  • @LeSuisse accepted 5 months, 2 weeks ago
  • @LeSuisse published on GitHub 5 months, 2 weeks ago
Symlink Following in txtai leads to arbitrary file write when loading untrusted embedding indices

The txtai framework allows the loading of compressed tar files as embedding indices. While the validate function is intended to prevent path traversal vulnerabilities by ensuring safe filenames, it does not account for symbolic links within the tar file. An attacker is able to write a file anywhere in the filesystem when txtai is used to load untrusted embedding indices

Affected products

txtai
  • =<9.0.0

Matching in nixpkgs

Ignored packages (2)

Package maintainers

NIXPKGS-2025-0005
published on
Permalink CVE-2025-9959
7.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
updated 5 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months, 4 weeks ago
  • @LeSuisse accepted 5 months, 2 weeks ago
  • @LeSuisse published on GitHub 5 months, 2 weeks ago
Sandbox escape in smolagents Local Python execution environment via dunder attributes

Incomplete validation of dunder attributes allows an attacker to escape from the Local Python execution environment sandbox, enforced by smolagents. The attack requires a Prompt Injection in order to trick the agent to create malicious code.

Affected products

smolagents
  • <1.21.0

Matching in nixpkgs

Package maintainers