Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2025-0021
published on
Permalink CVE-2025-61664
4.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored
    2 packages
    • grub2_pvgrub_image
    • grub2_pvhgrub_image
    4 months, 1 week ago
  • @LeSuisse deleted maintainer @SigmaSquadron 4 months, 1 week ago maintainer.delete
  • @LeSuisse added
    3 maintainers
    • @hehongbo
    • @digitalrane
    • @CertainLach
    4 months, 1 week ago maintainer.add
  • @LeSuisse deleted
    3 maintainers
    • @hehongbo
    • @digitalrane
    • @CertainLach
    4 months, 1 week ago maintainer.delete
  • @LeSuisse accepted 4 months, 1 week ago
  • @LeSuisse published on GitHub 4 months, 1 week ago
Grub2: missing unregister call for normal_exit command may lead to use-after-free

A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity.

References

Affected products

grub2
  • =<2.14
rhcos
Ignored packages (2)

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
NIXPKGS-2025-0014
published on
Permalink CVE-2025-13502
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse ignored
    5 packages
    • tests.pkg-config.defaultPkgConfigPackages."webkit2gtk-4.0"
    • obs-studio-plugins.obs-webkitgtk
    • haskellPackages.webkit2gtk3-javascriptcore
    • tests.pkg-config.defaultPkgConfigPackages."javascriptcoregtk-4.0"
    • tests.pkg-config.defaultPkgConfigPackages."webkit2gtk-web-extension-4.0"
    4 months, 1 week ago
  • @LeSuisse deleted
    4 maintainers
    • @jtojnar
    • @bobby285271
    • @hedning
    • @dasj19
    4 months, 1 week ago maintainer.delete
  • @LeSuisse accepted 4 months, 1 week ago
  • @LeSuisse published on GitHub 4 months, 1 week ago
Webkit: webkitgtk / wpe webkit: out-of-bounds read and integer underflow vulnerability leading to dos

A flaw was found in WebKitGTK and WPE WebKit. This vulnerability allows an out-of-bounds read and integer underflow, leading to a UIProcess crash (DoS) via a crafted payload to the GLib remote inspector server.

References

Affected products

webkitgtk
  • <2.50.2
webkitgtk3
webkitgtk4
  • *
webkit2gtk3
  • *

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Ignored maintainers (4)
NIXPKGS-2025-0015
published on
Permalink CVE-2025-8396
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse ignored
    14 packages
    • temporal-cli
    • python312Packages.temporalio
    • python313Packages.temporalio
    • haskellPackages.temporal-media
    • terraform-providers.temporalcloud
    • postgresqlPackages.temporal_tables
    • postgresql13Packages.temporal_tables
    • postgresql14Packages.temporal_tables
    • postgresql15Packages.temporal_tables
    • postgresql16Packages.temporal_tables
    • postgresql18Packages.temporal_tables
    • haskellPackages.temporal-music-notation
    • haskellPackages.temporal-music-notation-demo
    • haskellPackages.temporal-music-notation-western
    6 months ago
  • @LeSuisse accepted 6 months ago
  • @LeSuisse published on GitHub 4 months, 1 week ago
Insufficiently specific bounds checking on authorization header could lead to …

Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation.This issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed in 1.26.3, 1.27.3, and 1.28.1 and later). Temporal Cloud services are not impacted.

Affected products

temporal
  • <1.28.1
  • <1.26.3
  • <1.27.3

Matching in nixpkgs

pkgs.temporal

Microservice orchestration platform which enables developers to build scalable applications without sacrificing productivity or reliability

  • nixos-unstable -
Ignored packages (14)

pkgs.temporal-cli

Command-line interface for running Temporal Server and interacting with Workflows, Activities, Namespaces, and other parts of Temporal

  • nixos-unstable -

Package maintainers

NIXPKGS-2025-0013
published on
Permalink CVE-2025-10230
10.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 4 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 5 months, 1 week ago
  • @mweinelt ignored package sambamba 4 months, 2 weeks ago
  • @mweinelt accepted 4 months, 2 weeks ago
  • @mweinelt published on GitHub 4 months, 2 weeks ago
Samba: command injection in wins server hook script

A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.

Affected products

rhcos
samba
  • <4.23.2
  • <4.21.5
  • <4.21.9
samba4

Matching in nixpkgs

pkgs.samba

Standard Windows interoperability suite of programs for Linux and Unix

  • nixos-unstable -

pkgs.samba4

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.sambaFull

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba4Full

Standard Windows interoperability suite of programs for Linux and Unix

Ignored packages (1)

Package maintainers

Fixed in:
https://github.com/NixOS/nixpkgs/pull/433796
https://github.com/NixOS/nixpkgs/pull/452396
NIXPKGS-2025-0012
published on
Permalink CVE-2025-11935
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse accepted 4 months, 2 weeks ago
  • @LeSuisse published on GitHub 4 months, 2 weeks ago
Forward Secrecy Violation in WolfSSL TLS 1.3

With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection.

Affected products

wolfssl
  • ==v5.8.2
  • <5.8.4

Matching in nixpkgs

pkgs.wolfssl

Small, fast, portable implementation of TLS/SSL for embedded devices

Package maintainers

NIXPKGS-2025-0011
published on
Permalink CVE-2025-11934
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse accepted 4 months, 2 weeks ago
  • @LeSuisse published on GitHub 4 months, 2 weeks ago
Improper Validation of Signature Algorithm Used in TLS 1.3 CertificateVerify

Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256.

Affected products

wolfssl
  • ==v5.8.2
  • <5.8.4

Matching in nixpkgs

pkgs.wolfssl

Small, fast, portable implementation of TLS/SSL for embedded devices

Package maintainers

NIXPKGS-2025-0006
published on
Permalink CVE-2025-40928
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 5 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse ignored
    6 packages
    • perlPackages.CpanelJSONXS
    • perl538Packages.CpanelJSONXS
    • perl540Packages.CpanelJSONXS
    • perlPackages.JSONXSVersionOneAndTwo
    • perl538Packages.JSONXSVersionOneAndTwo
    • perl540Packages.JSONXSVersionOneAndTwo
    5 months, 4 weeks ago
  • @LeSuisse accepted 5 months, 4 weeks ago
  • @LeSuisse published on GitHub 5 months, 4 weeks ago
JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

Affected products

JSON-XS
  • <4.04

Matching in nixpkgs

pkgs.perlPackages.JSONXS

JSON serialising/deserialising, done correctly and fast

  • nixos-unstable -
    • nixpkgs-unstable 4.03
Ignored packages (6)
NIXPKGS-2025-0007
published on
Permalink CVE-2025-40929
5.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 5 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse accepted 5 months, 4 weeks ago
  • @LeSuisse published on GitHub 5 months, 4 weeks ago
Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

Affected products

Cpanel-JSON-XS
  • <4.40

Matching in nixpkgs

NIXPKGS-2025-0009
published on
Permalink CVE-2025-8941
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 5 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse ignored
    69 packages
    • ipam
    • opam
    • paml
    • dspam
    • pamix
    • rspamd
    • openpam
    • pam_p11
    • pam_u2f
    • pamixer
    • dopamine
    • pam_krb5
    • sbclPackages.cl-xmlspam
    • python312Packages.pamela
    • python313Packages.pamela
    • stalwart-mail-spam-filter
    • python312Packages.pypamtest
    • python313Packages.pypamtest
    • python312Packages.python-pam
    • python313Packages.python-pam
    • wordpressPackages.plugins.antispam-bee
    • matrix-synapse-plugins.matrix-synapse-pam
    • matrix-synapse-plugins.synapse-http-antispam
    • matrix-synapse-plugins.matrix-synapse-mjolnir-antispam
    • vscode-extensions.fabiospampinato.vscode-open-in-github
    • pam_ssh_agent_auth
    • rubyPackages.rpam2
    • decode-spam-headers
    • haskellPackages.pam
    • luaPackages.lua-pam
    • google-authenticator
    • lua51Packages.lua-pam
    • lua52Packages.lua-pam
    • lua53Packages.lua-pam
    • rubyPackages_3_1.rpam2
    • rubyPackages_3_2.rpam2
    • rubyPackages_3_3.rpam2
    • rubyPackages_3_4.rpam2
    • kdePackages.kwallet-pam
    • opensmtpd-filter-rspamd
    • python312Packages.pamqp
    • python313Packages.pamqp
    • apparmor-pam
    • opam-publish
    • pam-reattach
    • spamassassin
    • nss_pam_ldapd
    • libpam-wrapper
    • opam-installer
    • pam-honeycreds
    • rspamd-trainer
    • pam_ussh
    • pam_rssh
    • pam_ldap
    • pam
    • ncpamixer
    • opam2json
    • pam_dp9ik
    • pam_gnupg
    • pam_mount
    • pam_mysql
    • pam_pgsql
    • pamtester
    • pam_ccreds
    • pam_mktemp
    • pam_rundir
    • pam_tmpdir
    • yubico-pam
    • pam-watchid
    5 months, 4 weeks ago
  • @LeSuisse accepted 5 months, 4 weeks ago
  • @LeSuisse published on GitHub 5 months, 4 weeks ago
Linux-pam: incomplete fix for cve-2025-6020

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

References

Affected products

pam
  • *
linux-pam
discovery/discovery-server-rhel9
  • *
web-terminal/web-terminal-tooling-rhel9
  • *
cert-manager/jetstack-cert-manager-rhel9
  • *
web-terminal/web-terminal-rhel9-operator
  • *
insights-proxy/insights-proxy-container-rhel9
  • *
compliance/openshift-compliance-openscap-rhel8
  • *
openshift-sandboxed-containers/osc-monitor-rhel9
  • *
registry.redhat.io/discovery/discovery-server-rhel9
  • *
openshift-sandboxed-containers/osc-podvm-builder-rhel9
  • *
openshift-sandboxed-containers/osc-podvm-payload-rhel9
  • *
openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9
  • *

Matching in nixpkgs

pkgs.linux-pam

Pluggable Authentication Modules, a flexible mechanism for authenticating user

  • nixos-unstable -
Ignored packages (69)

pkgs.pam

Pluggable Authentication Modules, a flexible mechanism for authenticating user

  • nixos-unstable -

pkgs.ipam

Cli based IPAM written in Go with PowerDNS support

  • nixos-unstable -

pkgs.opam

Package manager for OCaml

  • nixos-unstable -

pkgs.paml

Phylogenetic Analysis by Maximum Likelihood (PAML)

  • nixos-unstable -

pkgs.dspam

Community Driven Antispam Filter

  • nixos-unstable -

pkgs.pamix

Pulseaudio terminal mixer

  • nixos-unstable -
    • nixpkgs-unstable 2.0

pkgs.rspamd

Advanced spam filtering system

  • nixos-unstable -

pkgs.openpam

Open source PAM library that focuses on simplicity, correctness, and cleanliness

  • nixos-unstable -

pkgs.pam_p11

Authentication with PKCS#11 modules

  • nixos-unstable -

pkgs.pam_u2f

PAM module for allowing authentication with a U2F device

  • nixos-unstable -

pkgs.pamixer

Pulseaudio command line mixer

  • nixos-unstable -
    • nixpkgs-unstable 1.6

pkgs.pam_krb5

PAM module allowing PAM-aware applications to authenticate users by performing an AS exchange with a Kerberos KDC

  • nixos-unstable -

pkgs.pam_rssh

PAM module for authenticating via ssh-agent, written in Rust

  • nixos-unstable -

pkgs.ncpamixer

Terminal mixer for PulseAudio inspired by pavucontrol

  • nixos-unstable -

pkgs.opam2json

Convert opam file syntax to JSON

  • nixos-unstable -
    • nixpkgs-unstable 0.4

pkgs.pam_dp9ik

dp9ik pam module

  • nixos-unstable -

pkgs.pam_gnupg

Unlock GnuPG keys on login

  • nixos-unstable -
    • nixpkgs-unstable 0.4

pkgs.pam_mount

PAM module to mount volumes for a user session

  • nixos-unstable -
    • nixpkgs-unstable 2.20

pkgs.pam_mysql

PAM authentication module against a MySQL database

pkgs.pam_pgsql

Support to authenticate against PostgreSQL for PAM-enabled appliations

pkgs.pamtester

Utility program to test the PAM facility

  • nixos-unstable -

pkgs.pam_ccreds

PAM module to locally authenticate using an enterprise identity when the network is unavailable

  • nixos-unstable -
    • nixpkgs-unstable 10

pkgs.pam_mktemp

PAM for login service to provide per-user private directories

  • nixos-unstable -

pkgs.pam_rundir

Provide user runtime directory on Linux systems

  • nixos-unstable -

pkgs.pam_tmpdir

PAM module for creating safe per-user temporary directories

  • nixos-unstable -
    • nixpkgs-unstable 0.09

pkgs.yubico-pam

Yubico PAM module

  • nixos-unstable -
    • nixpkgs-unstable 2.27

pkgs.apparmor-pam

Mandatory access control system - PAM service

  • nixos-unstable -

pkgs.opam-publish

Tool to ease contributions to opam repositories

  • nixos-unstable -

pkgs.pam-reattach

Reattach to the user's GUI session on macOS during authentication (for Touch ID support in tmux)

  • nixos-unstable -
    • nixpkgs-unstable 1.3

pkgs.nss_pam_ldapd

LDAP identity and authentication for NSS/PAM

  • nixos-unstable -

pkgs.opam-installer

Handle (un)installation from opam install files

  • nixos-unstable -

pkgs.pam-honeycreds

PAM module that sends warnings when fake passwords are used

  • nixos-unstable -
    • nixpkgs-unstable 1.9

pkgs.rspamd-trainer

Grabs messages from a spam mailbox via IMAP and feeds them to Rspamd for training

NIXPKGS-2025-0010
published on
Permalink CVE-2025-40920
8.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 5 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse accepted 5 months, 4 weeks ago
  • @LeSuisse published on GitHub 5 months, 4 weeks ago
Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl use insecurely generated nonces

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.

Affected products

Catalyst-Authentication-Credential-HTTP
  • =<1.018

Matching in nixpkgs