Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2025-0005
published 7 months ago
Permalink CVE-2025-9959
7.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 7 months ago by @LeSuisse Activity log
  • Created suggestion 8 months, 2 weeks ago
  • @LeSuisse accepted 7 months ago
  • @LeSuisse published on GitHub 7 months ago

Sandbox escape in smolagents Local Python execution environment via dunder attributes

smolagents
  • <1.21.0
NIXPKGS-2025-0010
published 7 months ago
Permalink CVE-2025-40920
8.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 7 months ago by @LeSuisse Activity log
  • Created suggestion 8 months, 2 weeks ago
  • @LeSuisse accepted 7 months ago
  • @LeSuisse published on GitHub 7 months ago

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl use insecurely generated nonces

Catalyst-Authentication-Credential-HTTP
  • =<1.018
NIXPKGS-2025-0008
published 7 months ago
Permalink CVE-2025-7039
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 7 months ago by @LeSuisse Activity log
  • Created suggestion 8 months, 2 weeks ago
  • @LeSuisse accepted 7 months ago
  • @LeSuisse ignored
    12 packages
    • bootc
    • loupe
    • rpm-ostree
    • podman-bootc
    • mlxbf-bootctl
    • glycin-loaders
    • systemd-bootchart
    • rubyPackages.glib2
    • rubyPackages_3_1.glib2
    • rubyPackages_3_2.glib2
    • rubyPackages_3_3.glib2
    • rubyPackages_3_4.glib2
    7 months ago
  • @LeSuisse published on GitHub 7 months ago

Glib: buffer under-read on glib through glib/gfileutils.c via get_tmp_file()

bootc
glib2
loupe
librsvg2
rpm-ostree
mingw-glib2
glycin-loaders
NIXPKGS-2025-0006
published 7 months ago
Permalink CVE-2025-40928
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 7 months ago by @LeSuisse Activity log
  • Created suggestion 8 months, 2 weeks ago
  • @LeSuisse ignored
    6 packages
    • perlPackages.CpanelJSONXS
    • perl538Packages.CpanelJSONXS
    • perl540Packages.CpanelJSONXS
    • perlPackages.JSONXSVersionOneAndTwo
    • perl538Packages.JSONXSVersionOneAndTwo
    • perl540Packages.JSONXSVersionOneAndTwo
    7 months ago
  • @LeSuisse accepted 7 months ago
  • @LeSuisse published on GitHub 7 months ago

JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

JSON-XS
  • <4.04
NIXPKGS-2025-0007
published 7 months ago
Permalink CVE-2025-40929
5.6 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 7 months ago by @LeSuisse Activity log
  • Created suggestion 8 months, 2 weeks ago
  • @LeSuisse accepted 7 months ago
  • @LeSuisse published on GitHub 7 months ago

Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

Cpanel-JSON-XS
  • <4.40
NIXPKGS-2025-0004
published 7 months ago
Permalink CVE-2025-10854
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 7 months ago by @LeSuisse Activity log
  • Created suggestion 8 months, 1 week ago
  • @LeSuisse ignored
    2 packages
    • python312Packages.llama-index-readers-txtai
    • python313Packages.llama-index-readers-txtai
    7 months ago
  • @LeSuisse accepted 7 months ago
  • @LeSuisse published on GitHub 7 months ago

Symlink Following in txtai leads to arbitrary file write when loading untrusted embedding indices

txtai
  • =<9.0.0
NIXPKGS-2025-0003
published 7 months ago
Permalink CVE-2025-9905
updated 7 months ago by @LeSuisse Activity log
  • Created suggestion 8 months, 1 week ago
  • @Erethon dismissed 7 months, 1 week ago
  • @Erethon marked as untriaged 7 months, 1 week ago
  • @LeSuisse ignored package python312Packages.tf-keras 7 months ago
  • @balsoft restored package python312Packages.tf-keras 7 months ago
  • @balsoft dismissed 7 months ago
  • @LeSuisse accepted 7 months ago
  • @LeSuisse ignored package python312Packages.tf-keras 7 months ago
  • @LeSuisse published on GitHub 7 months ago

Arbitary Code execution in Keras load_model()

keras
  • =<3.11.2
NIXPKGS-2025-0002
published 7 months ago
Permalink CVE-2025-9900
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 7 months ago by @balsoft Activity log
  • Created suggestion 8 months, 1 week ago
  • @balsoft accepted 7 months ago
  • @balsoft deleted
    3 maintainers
    • @sikmir
    • @imincik
    • @nialov
    7 months ago maintainer.delete
  • @balsoft added maintainer @balsoft 7 months ago maintainer.add
  • @balsoft published on GitHub 7 months ago

Libtiff: libtiff write-what-where

libtiff
  • *
  • <4.7.1
mingw-libtiff
  • *
compat-libtiff3
  • *
spice-client-win
  • *
rhaiis/vllm-cuda-rhel9
  • *
rhaiis/vllm-rocm-rhel9
  • *
rhaiis/model-opt-cuda-rhel9
  • *
discovery/discovery-ui-rhel9
  • *
NIXPKGS-2025-0001
published 7 months, 1 week ago
Permalink CVE-2025-8067
8.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 7 months, 1 week ago by @balsoft Activity log
  • Created suggestion 8 months, 2 weeks ago
  • @balsoft added maintainer @balsoft 7 months, 1 week ago maintainer.add
  • @balsoft accepted 7 months, 1 week ago
  • @balsoft published on GitHub 7 months, 1 week ago

Udisks: out-of-bounds read in udisks daemon

udisks
udisks2
  • *
  • <2.10.2
  • <2.10.91