Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2025-0022
published on
Permalink CVE-2025-11060
5.7 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 3 weeks ago
  • @LeSuisse ignored package surrealdb-migrations 4 months, 4 weeks ago
  • @LeSuisse accepted 4 months, 4 weeks ago
  • @LeSuisse published on GitHub 4 months, 4 weeks ago
Surrealdb: surrealdb is vulnerable to unauthorized data exposure via live query subscriptions

A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records.

Affected products

surrealdb
  • <3.3.0-alpha.7
  • <2.2.8
  • <2.3.8
  • <2.1.9
openshift-service-mesh/istio-cni-rhel9
openshift-service-mesh/istio-pilot-rhel9
openshift-service-mesh/istio-proxyv2-rhel9
openshift-service-mesh/istio-rhel9-operator
openshift-service-mesh/istio-must-gather-rhel9
openshift-service-mesh/istio-sail-operator-bundle
openshift-service-mesh-tech-preview/istio-ztunnel-rhel9
openshift-service-mesh-dev-preview-beta/istio-ztunnel-rhel9

Matching in nixpkgs

pkgs.surrealdb

Scalable, distributed, collaborative, document-graph database, for the realtime web

Ignored packages (1)

pkgs.surrealdb-migrations

Awesome SurrealDB migration tool, with a user-friendly CLI and a versatile Rust library that enables seamless integration into any project

Package maintainers

NIXPKGS-2025-0020
published on
Permalink CVE-2025-54770
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 3 weeks ago
  • @LeSuisse ignored
    2 packages
    • grub2_pvgrub_image
    • grub2_pvhgrub_image
    4 months, 4 weeks ago
  • @LeSuisse deleted maintainer @SigmaSquadron 4 months, 4 weeks ago maintainer.delete
  • @LeSuisse added
    2 maintainers
    • @hehongbo
    • @digitalrane
    4 months, 4 weeks ago maintainer.add
  • @LeSuisse deleted maintainer @hehongbo 4 months, 4 weeks ago maintainer.delete
  • @LeSuisse added maintainer @CertainLach 4 months, 4 weeks ago maintainer.add
  • @LeSuisse deleted
    2 maintainers
    • @digitalrane
    • @CertainLach
    4 months, 4 weeks ago maintainer.delete
  • @LeSuisse accepted 4 months, 4 weeks ago
  • @LeSuisse published on GitHub 4 months, 4 weeks ago
Grub2: use-after-free in net_set_vlan

A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the net_set_vlan command is not properly unregistered when the network module is unloaded from memory. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability

Affected products

grub2
  • =<2.14
rhcos
Ignored packages (2)

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
NIXPKGS-2025-0019
published on
Permalink CVE-2025-54771
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 3 weeks ago
  • @LeSuisse ignored
    2 packages
    • grub2_pvgrub_image
    • grub2_pvhgrub_image
    4 months, 4 weeks ago
  • @LeSuisse deleted maintainer @SigmaSquadron 4 months, 4 weeks ago maintainer.delete
  • @LeSuisse added
    2 maintainers
    • @hehongbo
    • @digitalrane
    4 months, 4 weeks ago maintainer.add
  • @LeSuisse deleted
    2 maintainers
    • @hehongbo
    • @digitalrane
    4 months, 4 weeks ago maintainer.delete
  • @LeSuisse accepted 4 months, 4 weeks ago
  • @LeSuisse published on GitHub 4 months, 4 weeks ago
Grub2: use-after-free in grub_file_close()

A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.

Affected products

grub2
  • =<2.14
rhcos
Ignored packages (2)

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
NIXPKGS-2025-0018
published on
Permalink CVE-2025-61662
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 3 weeks ago
  • @LeSuisse deleted
    4 maintainers
    • @SigmaSquadron
    • @hehongbo
    • @digitalrane
    • @CertainLach
    4 months, 4 weeks ago maintainer.delete
  • @LeSuisse ignored
    2 packages
    • grub2_pvhgrub_image
    • grub2_pvgrub_image
    4 months, 4 weeks ago
  • @LeSuisse accepted 4 months, 4 weeks ago
  • @LeSuisse published on GitHub 4 months, 4 weeks ago
Grub2: missing unregister call for gettext command may lead to use-after-free

A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.

Affected products

grub2
  • =<2.14
rhcos
Ignored packages (2)

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
NIXPKGS-2025-0017
published on
Permalink CVE-2025-61663
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 3 weeks ago
  • @LeSuisse deleted
    4 maintainers
    • @SigmaSquadron
    • @hehongbo
    • @digitalrane
    • @CertainLach
    4 months, 4 weeks ago maintainer.delete
  • @LeSuisse ignored
    2 packages
    • grub2_pvgrub_image
    • grub2_pvhgrub_image
    4 months, 4 weeks ago
  • @LeSuisse accepted 4 months, 4 weeks ago
  • @LeSuisse published on GitHub 4 months, 4 weeks ago
Grub2: missing unregister call for normal commands may lead to use-after-free

A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability. Impact on the data integrity and confidentiality is also not discarded.

References

Affected products

grub2
  • =<2.14
rhcos
Ignored packages (2)

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
NIXPKGS-2025-0021
published on
Permalink CVE-2025-61664
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 3 weeks ago
  • @LeSuisse ignored
    2 packages
    • grub2_pvgrub_image
    • grub2_pvhgrub_image
    4 months, 4 weeks ago
  • @LeSuisse deleted maintainer @SigmaSquadron 4 months, 4 weeks ago maintainer.delete
  • @LeSuisse added
    3 maintainers
    • @hehongbo
    • @digitalrane
    • @CertainLach
    4 months, 4 weeks ago maintainer.add
  • @LeSuisse deleted
    3 maintainers
    • @hehongbo
    • @digitalrane
    • @CertainLach
    4 months, 4 weeks ago maintainer.delete
  • @LeSuisse accepted 4 months, 4 weeks ago
  • @LeSuisse published on GitHub 4 months, 4 weeks ago
Grub2: missing unregister call for normal_exit command may lead to use-after-free

A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity.

References

Affected products

grub2
  • =<2.14
rhcos
Ignored packages (2)

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
NIXPKGS-2025-0014
published on
Permalink CVE-2025-13502
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 2 weeks ago
  • @LeSuisse ignored
    5 packages
    • tests.pkg-config.defaultPkgConfigPackages."webkit2gtk-4.0"
    • obs-studio-plugins.obs-webkitgtk
    • haskellPackages.webkit2gtk3-javascriptcore
    • tests.pkg-config.defaultPkgConfigPackages."javascriptcoregtk-4.0"
    • tests.pkg-config.defaultPkgConfigPackages."webkit2gtk-web-extension-4.0"
    4 months, 4 weeks ago
  • @LeSuisse deleted
    4 maintainers
    • @jtojnar
    • @bobby285271
    • @hedning
    • @dasj19
    4 months, 4 weeks ago maintainer.delete
  • @LeSuisse accepted 4 months, 4 weeks ago
  • @LeSuisse published on GitHub 4 months, 4 weeks ago
Webkit: webkitgtk / wpe webkit: out-of-bounds read and integer underflow vulnerability leading to dos

A flaw was found in WebKitGTK and WPE WebKit. This vulnerability allows an out-of-bounds read and integer underflow, leading to a UIProcess crash (DoS) via a crafted payload to the GLib remote inspector server.

References

Affected products

webkitgtk
  • <2.50.2
webkitgtk3
webkitgtk4
  • *
webkit2gtk3
  • *

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Ignored maintainers (4)
NIXPKGS-2025-0015
published on
Permalink CVE-2025-8396
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 3 weeks ago
  • @LeSuisse ignored
    14 packages
    • temporal-cli
    • python312Packages.temporalio
    • python313Packages.temporalio
    • haskellPackages.temporal-media
    • terraform-providers.temporalcloud
    • postgresqlPackages.temporal_tables
    • postgresql13Packages.temporal_tables
    • postgresql14Packages.temporal_tables
    • postgresql15Packages.temporal_tables
    • postgresql16Packages.temporal_tables
    • postgresql18Packages.temporal_tables
    • haskellPackages.temporal-music-notation
    • haskellPackages.temporal-music-notation-demo
    • haskellPackages.temporal-music-notation-western
    6 months, 2 weeks ago
  • @LeSuisse accepted 6 months, 2 weeks ago
  • @LeSuisse published on GitHub 4 months, 4 weeks ago
Insufficiently specific bounds checking on authorization header could lead to …

Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation.This issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed in 1.26.3, 1.27.3, and 1.28.1 and later). Temporal Cloud services are not impacted.

Affected products

temporal
  • <1.27.3
  • <1.26.3
  • <1.28.1

Matching in nixpkgs

pkgs.temporal

Microservice orchestration platform which enables developers to build scalable applications without sacrificing productivity or reliability

  • nixos-unstable -
Ignored packages (14)

pkgs.temporal-cli

Command-line interface for running Temporal Server and interacting with Workflows, Activities, Namespaces, and other parts of Temporal

  • nixos-unstable -

Package maintainers

NIXPKGS-2025-0013
published on
Permalink CVE-2025-10230
10.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months ago by @mweinelt Activity log
  • Created suggestion 5 months, 3 weeks ago
  • @mweinelt ignored package sambamba 5 months ago
  • @mweinelt accepted 5 months ago
  • @mweinelt published on GitHub 5 months ago
Samba: command injection in wins server hook script

A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.

Affected products

rhcos
samba
  • <4.21.9
  • <4.21.5
  • <4.23.2
samba4

Matching in nixpkgs

pkgs.samba

Standard Windows interoperability suite of programs for Linux and Unix

  • nixos-unstable -

pkgs.samba4

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.sambaFull

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba4Full

Standard Windows interoperability suite of programs for Linux and Unix

Ignored packages (1)

Package maintainers

Fixed in:
https://github.com/NixOS/nixpkgs/pull/433796
https://github.com/NixOS/nixpkgs/pull/452396
NIXPKGS-2025-0012
published on
Permalink CVE-2025-11935
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months, 3 weeks ago
  • @LeSuisse accepted 5 months ago
  • @LeSuisse published on GitHub 5 months ago
Forward Secrecy Violation in WolfSSL TLS 1.3

With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection.

Affected products

wolfssl
  • ==v5.8.2
  • <5.8.4

Matching in nixpkgs

pkgs.wolfssl

Small, fast, portable implementation of TLS/SSL for embedded devices

Package maintainers