Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2025-0009
published 7 months, 2 weeks ago
Permalink CVE-2025-8941
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months, 4 weeks ago
  • @LeSuisse ignored
    69 packages
    • ipam
    • opam
    • paml
    • dspam
    • pamix
    • rspamd
    • openpam
    • pam_p11
    • pam_u2f
    • pamixer
    • dopamine
    • pam_krb5
    • sbclPackages.cl-xmlspam
    • python312Packages.pamela
    • python313Packages.pamela
    • stalwart-mail-spam-filter
    • python312Packages.pypamtest
    • python313Packages.pypamtest
    • python312Packages.python-pam
    • python313Packages.python-pam
    • wordpressPackages.plugins.antispam-bee
    • matrix-synapse-plugins.matrix-synapse-pam
    • matrix-synapse-plugins.synapse-http-antispam
    • matrix-synapse-plugins.matrix-synapse-mjolnir-antispam
    • vscode-extensions.fabiospampinato.vscode-open-in-github
    • pam_ssh_agent_auth
    • rubyPackages.rpam2
    • decode-spam-headers
    • haskellPackages.pam
    • luaPackages.lua-pam
    • google-authenticator
    • lua51Packages.lua-pam
    • lua52Packages.lua-pam
    • lua53Packages.lua-pam
    • rubyPackages_3_1.rpam2
    • rubyPackages_3_2.rpam2
    • rubyPackages_3_3.rpam2
    • rubyPackages_3_4.rpam2
    • kdePackages.kwallet-pam
    • opensmtpd-filter-rspamd
    • python312Packages.pamqp
    • python313Packages.pamqp
    • apparmor-pam
    • opam-publish
    • pam-reattach
    • spamassassin
    • nss_pam_ldapd
    • libpam-wrapper
    • opam-installer
    • pam-honeycreds
    • rspamd-trainer
    • pam_ussh
    • pam_rssh
    • pam_ldap
    • pam
    • ncpamixer
    • opam2json
    • pam_dp9ik
    • pam_gnupg
    • pam_mount
    • pam_mysql
    • pam_pgsql
    • pamtester
    • pam_ccreds
    • pam_mktemp
    • pam_rundir
    • pam_tmpdir
    • yubico-pam
    • pam-watchid
    7 months, 2 weeks ago
  • @LeSuisse accepted 7 months, 2 weeks ago
  • @LeSuisse published on GitHub 7 months, 2 weeks ago

Linux-pam: incomplete fix for cve-2025-6020

pam
  • *
linux-pam
discovery/discovery-server-rhel9
  • *
web-terminal/web-terminal-tooling-rhel9
  • *
cert-manager/jetstack-cert-manager-rhel9
  • *
web-terminal/web-terminal-rhel9-operator
  • *
insights-proxy/insights-proxy-container-rhel9
  • *
compliance/openshift-compliance-openscap-rhel8
  • *
openshift-sandboxed-containers/osc-monitor-rhel9
  • *
registry.redhat.io/discovery/discovery-server-rhel9
  • *
openshift-sandboxed-containers/osc-podvm-builder-rhel9
  • *
openshift-sandboxed-containers/osc-podvm-payload-rhel9
  • *
openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9
  • *
NIXPKGS-2025-0007
published 7 months, 2 weeks ago
Permalink CVE-2025-40929
5.6 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months, 4 weeks ago
  • @LeSuisse accepted 7 months, 2 weeks ago
  • @LeSuisse published on GitHub 7 months, 2 weeks ago

Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

Cpanel-JSON-XS
  • <4.40
NIXPKGS-2025-0005
published 7 months, 2 weeks ago
Permalink CVE-2025-9959
7.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months, 4 weeks ago
  • @LeSuisse accepted 7 months, 2 weeks ago
  • @LeSuisse published on GitHub 7 months, 2 weeks ago

Sandbox escape in smolagents Local Python execution environment via dunder attributes

smolagents
  • <1.21.0
NIXPKGS-2025-0006
published 7 months, 2 weeks ago
Permalink CVE-2025-40928
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months, 4 weeks ago
  • @LeSuisse ignored
    6 packages
    • perlPackages.CpanelJSONXS
    • perl538Packages.CpanelJSONXS
    • perl540Packages.CpanelJSONXS
    • perlPackages.JSONXSVersionOneAndTwo
    • perl538Packages.JSONXSVersionOneAndTwo
    • perl540Packages.JSONXSVersionOneAndTwo
    7 months, 2 weeks ago
  • @LeSuisse accepted 7 months, 2 weeks ago
  • @LeSuisse published on GitHub 7 months, 2 weeks ago

JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

JSON-XS
  • <4.04
NIXPKGS-2025-0008
published 7 months, 2 weeks ago
Permalink CVE-2025-7039
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months, 4 weeks ago
  • @LeSuisse accepted 7 months, 2 weeks ago
  • @LeSuisse ignored
    12 packages
    • bootc
    • loupe
    • rpm-ostree
    • podman-bootc
    • mlxbf-bootctl
    • glycin-loaders
    • systemd-bootchart
    • rubyPackages.glib2
    • rubyPackages_3_1.glib2
    • rubyPackages_3_2.glib2
    • rubyPackages_3_3.glib2
    • rubyPackages_3_4.glib2
    7 months, 2 weeks ago
  • @LeSuisse published on GitHub 7 months, 2 weeks ago

Glib: buffer under-read on glib through glib/gfileutils.c via get_tmp_file()

bootc
glib2
loupe
librsvg2
rpm-ostree
mingw-glib2
glycin-loaders
NIXPKGS-2025-0010
published 7 months, 2 weeks ago
Permalink CVE-2025-40920
8.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months, 4 weeks ago
  • @LeSuisse accepted 7 months, 2 weeks ago
  • @LeSuisse published on GitHub 7 months, 2 weeks ago

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl use insecurely generated nonces

Catalyst-Authentication-Credential-HTTP
  • =<1.018
NIXPKGS-2025-0004
published 7 months, 2 weeks ago
Permalink CVE-2025-10854
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months, 3 weeks ago
  • @LeSuisse ignored
    2 packages
    • python312Packages.llama-index-readers-txtai
    • python313Packages.llama-index-readers-txtai
    7 months, 2 weeks ago
  • @LeSuisse accepted 7 months, 2 weeks ago
  • @LeSuisse published on GitHub 7 months, 2 weeks ago

Symlink Following in txtai leads to arbitrary file write when loading untrusted embedding indices

txtai
  • =<9.0.0
NIXPKGS-2025-0003
published 7 months, 2 weeks ago
Permalink CVE-2025-9905
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months, 3 weeks ago
  • @Erethon dismissed 7 months, 3 weeks ago
  • @Erethon marked as untriaged 7 months, 3 weeks ago
  • @LeSuisse ignored package python312Packages.tf-keras 7 months, 2 weeks ago
  • @balsoft restored package python312Packages.tf-keras 7 months, 2 weeks ago
  • @balsoft dismissed 7 months, 2 weeks ago
  • @LeSuisse accepted 7 months, 2 weeks ago
  • @LeSuisse ignored package python312Packages.tf-keras 7 months, 2 weeks ago
  • @LeSuisse published on GitHub 7 months, 2 weeks ago

Arbitary Code execution in Keras load_model()

keras
  • =<3.11.2
NIXPKGS-2025-0002
published 7 months, 2 weeks ago
Permalink CVE-2025-9900
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 7 months, 2 weeks ago by @balsoft Activity log
  • Created suggestion 8 months, 3 weeks ago
  • @balsoft accepted 7 months, 2 weeks ago
  • @balsoft deleted
    3 maintainers
    • @sikmir
    • @imincik
    • @nialov
    7 months, 2 weeks ago maintainer.delete
  • @balsoft added maintainer @balsoft 7 months, 2 weeks ago maintainer.add
  • @balsoft published on GitHub 7 months, 2 weeks ago

Libtiff: libtiff write-what-where

libtiff
  • *
  • <4.7.1
mingw-libtiff
  • *
compat-libtiff3
  • *
spice-client-win
  • *
rhaiis/vllm-cuda-rhel9
  • *
rhaiis/vllm-rocm-rhel9
  • *
rhaiis/model-opt-cuda-rhel9
  • *
discovery/discovery-ui-rhel9
  • *
NIXPKGS-2025-0001
published 7 months, 2 weeks ago
Permalink CVE-2025-8067
8.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 7 months, 2 weeks ago by @balsoft Activity log
  • Created suggestion 8 months, 4 weeks ago
  • @balsoft added maintainer @balsoft 7 months, 2 weeks ago maintainer.add
  • @balsoft accepted 7 months, 2 weeks ago
  • @balsoft published on GitHub 7 months, 2 weeks ago

Udisks: out-of-bounds read in udisks daemon

udisks
udisks2
  • *
  • <2.10.2
  • <2.10.91