Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2025-0019
published 6 months, 3 weeks ago
Permalink CVE-2025-54771
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    2 packages
    • grub2_pvgrub_image
    • grub2_pvhgrub_image
  • @LeSuisse deleted maintainer @SigmaSquadron maintainer.delete
  • @LeSuisse added
    2 maintainers
    • @hehongbo
    • @digitalrane
    maintainer.add
  • @LeSuisse deleted
    2 maintainers
    • @hehongbo
    • @digitalrane
    maintainer.delete
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Grub2: use-after-free in grub_file_close()


grub2
  • =<2.14
rhcos
NIXPKGS-2025-0018
published 6 months, 3 weeks ago
Permalink CVE-2025-61662
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse deleted
    4 maintainers
    • @SigmaSquadron
    • @hehongbo
    • @digitalrane
    • @CertainLach
    maintainer.delete
  • @LeSuisse ignored
    2 packages
    • grub2_pvhgrub_image
    • grub2_pvgrub_image
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Grub2: missing unregister call for gettext command may lead to use-after-free


grub2
  • =<2.14
rhcos
NIXPKGS-2025-0016
published 6 months, 3 weeks ago
Permalink CVE-2025-61661
4.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Physical (P)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Physical (P)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse deleted
    4 maintainers
    • @SigmaSquadron
    • @hehongbo
    • @digitalrane
    • @CertainLach
    maintainer.delete
  • @LeSuisse ignored
    2 packages
    • grub2_pvhgrub_image
    • grub2_pvgrub_image
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Grub2: out-of-bounds write


grub2
  • =<2.14
rhcos
NIXPKGS-2025-0017
published 6 months, 3 weeks ago
Permalink CVE-2025-61663
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse deleted
    4 maintainers
    • @SigmaSquadron
    • @hehongbo
    • @digitalrane
    • @CertainLach
    maintainer.delete
  • @LeSuisse ignored
    2 packages
    • grub2_pvgrub_image
    • grub2_pvhgrub_image
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Grub2: missing unregister call for normal commands may lead to use-after-free


grub2
  • =<2.14
rhcos
NIXPKGS-2025-0021
published 6 months, 3 weeks ago
Permalink CVE-2025-61664
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    2 packages
    • grub2_pvgrub_image
    • grub2_pvhgrub_image
  • @LeSuisse deleted maintainer @SigmaSquadron maintainer.delete
  • @LeSuisse added
    3 maintainers
    • @hehongbo
    • @digitalrane
    • @CertainLach
    maintainer.add
  • @LeSuisse deleted
    3 maintainers
    • @hehongbo
    • @digitalrane
    • @CertainLach
    maintainer.delete
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Grub2: missing unregister call for normal_exit command may lead to use-after-free


grub2
  • =<2.14
rhcos
NIXPKGS-2025-0014
published 6 months, 3 weeks ago
Permalink CVE-2025-13502
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • tests.pkg-config.defaultPkgConfigPackages."webkit2gtk-4.0"
    • obs-studio-plugins.obs-webkitgtk
    • haskellPackages.webkit2gtk3-javascriptcore
    • tests.pkg-config.defaultPkgConfigPackages."javascriptcoregtk-4.0"
    • tests.pkg-config.defaultPkgConfigPackages."webkit2gtk-web-extension-4.0"
  • @LeSuisse deleted
    4 maintainers
    • @jtojnar
    • @bobby285271
    • @hedning
    • @dasj19
    maintainer.delete
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Webkit: webkitgtk / wpe webkit: out-of-bounds read and integer underflow vulnerability leading to dos


webkitgtk
  • <2.50.2
webkitgtk3
webkitgtk4
  • *
webkit2gtk3
  • *
NIXPKGS-2025-0013
published 6 months, 3 weeks ago
Permalink CVE-2025-10230
10.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 6 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion
  • @mweinelt ignored package sambamba
  • @mweinelt accepted
  • @mweinelt published on GitHub

Samba: command injection in wins server hook script


rhcos
samba
  • <4.21.9
  • <4.23.2
  • <4.21.5
samba4
Fixed in:
https://github.com/NixOS/nixpkgs/pull/433796
https://github.com/NixOS/nixpkgs/pull/452396
NIXPKGS-2025-0012
published 6 months, 3 weeks ago
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Forward Secrecy Violation in WolfSSL TLS 1.3


wolfssl
  • ==v5.8.2
  • <5.8.4
NIXPKGS-2025-0011
published 6 months, 3 weeks ago
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Improper Validation of Signature Algorithm Used in TLS 1.3 CertificateVerify


wolfssl
  • ==v5.8.2
  • <5.8.4
NIXPKGS-2025-0006
published 8 months, 1 week ago
Permalink CVE-2025-40928
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 8 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    6 packages
    • perlPackages.CpanelJSONXS
    • perl538Packages.CpanelJSONXS
    • perl540Packages.CpanelJSONXS
    • perlPackages.JSONXSVersionOneAndTwo
    • perl538Packages.JSONXSVersionOneAndTwo
    • perl540Packages.JSONXSVersionOneAndTwo
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact


JSON-XS
  • <4.04