Nixpkgs Security Tracker

CVE-2025-46420

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

created 4 months, 1 week ago

Libsoup: memory leak on soup_header_parse_quality_list() via soup-headers.c

A flaw was found in libsoup. It is vulnerable to memory leaks in the soup_header_parse_quality_list() function when parsing a quality list that contains elements with all zeroes.

libsoup

*

<3.6.3

libsoup3

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable 3.6.0
- nixos-unstable-small 3.6.0
- nixpkgs-unstable 3.6.0

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable 2.74.3
- nixos-unstable-small 2.74.3
- nixpkgs-unstable 2.74.3

pkgs.libsoup_3.x86_64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_3.aarch64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_3.x86_64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_2_4.x86_64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.libsoup_3.aarch64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_2_4.aarch64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.libsoup_2_4.x86_64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.libsoup_2_4.aarch64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

nixos-unstable 2.4
- nixos-unstable-small 2.4
- nixpkgs-unstable 2.4

Package maintainers: 6

@jtojnar Jan Tojnar <jtojnar@gmail.com>

@bobby285271 Bobby Rong <rjl931189261@126.com>

@lovek323 Jason O'Conal <jason@oconal.id.au>

@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>

@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>

@7c6f434c Michael Raskin <7c6f434c@mail.ru>

CVE-2025-46483

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

created 4 months, 1 week ago

WordPress Peadig’s Google +1 Button <= 0.1.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Moss Peadig’s Google +1 Button allows DOM-Based XSS. This issue affects Peadig’s Google +1 Button: from n/a through 0.1.2.

google-1

=<0.1.2

pkgs.python311Packages.cirq-google

Framework for creating, editing, and invoking Noisy Intermediate Scale Quantum (NISQ) circuits

nixos-unstable 1.4.1
- nixos-unstable-small 1.4.1
- nixpkgs-unstable 1.4.1

pkgs.python312Packages.cirq-google

Framework for creating, editing, and invoking Noisy Intermediate Scale Quantum (NISQ) circuits

nixos-unstable 1.4.1
- nixos-unstable-small 1.4.1
- nixpkgs-unstable 1.4.1

Package maintainers: 2

@fabaff Fabian Affolter <mail@fabian-affolter.ch>

@drewrisinger Drew Risinger <drisinger+nixpkgs@gmail.com>

CVE-2024-25982

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

created 4 months, 1 week ago

Msa-24-0005: csrf risk in language import utility

The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.

moodle

<4.3.3

<4.1.9

<4.2.6

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

nixos-unstable 4.4.3
- nixos-unstable-small 4.4.4
- nixpkgs-unstable 4.4.3

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

nixos-unstable 2.3.12
- nixos-unstable-small 2.3.12
- nixpkgs-unstable 2.3.12

Package maintainers: 2

@freezeboy freezeboy

@kmein Kierán Meinhardt <kmein@posteo.de>

CVE-2024-6387

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 4 months, 1 week ago

Openssh: regresshion - race condition in ssh allows rce/dos

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

rhcos

*

OpenSSH

=<9.7p1

openssh

*

rhceph-6-rhel9

pkgs.openssh

Implementation of the SSH protocol

nixos-unstable 9.9p1
- nixos-unstable-small 9.9p1
- nixpkgs-unstable 9.9p1

pkgs.opensshTest

Implementation of the SSH protocol

nixos-unstable 9.9p1
- nixos-unstable-small 9.9p1
- nixpkgs-unstable 9.9p1

pkgs.openssh_hpn

Implementation of the SSH protocol with high performance networking patches

nixos-unstable 9.9p1
- nixos-unstable-small 9.9p1
- nixpkgs-unstable 9.9p1

pkgs.openssh_gssapi

Implementation of the SSH protocol with GSSAPI support

nixos-unstable 9.9p1
- nixos-unstable-small 9.9p1
- nixpkgs-unstable 9.9p1

pkgs.opensshWithKerberos

Implementation of the SSH protocol

nixos-unstable 9.9p1
- nixos-unstable-small 9.9p1
- nixpkgs-unstable 9.9p1

pkgs.openssh_hpnWithKerberos

Implementation of the SSH protocol with high performance networking patches

nixos-unstable 9.9p1
- nixos-unstable-small 9.9p1
- nixpkgs-unstable 9.9p1

pkgs.lxqt.lxqt-openssh-askpass

GUI to query passwords on behalf of SSH agents

nixos-unstable 2.1.0
- nixos-unstable-small 2.1.0
- nixpkgs-unstable 2.1.0

pkgs.perl538Packages.NetOpenSSH

Perl SSH client package implemented on top of OpenSSH

nixos-unstable 0.84
- nixos-unstable-small 0.84
- nixpkgs-unstable 0.84

pkgs.perl540Packages.NetOpenSSH

Perl SSH client package implemented on top of OpenSSH

nixos-unstable 0.84
- nixos-unstable-small 0.84
- nixpkgs-unstable 0.84

pkgs.perl540Packages.NetOpenSSH.x86_64-linux

Perl SSH client package implemented on top of OpenSSH

nixos-unstable ???
- nixpkgs-unstable 0.84

pkgs.perl540Packages.NetOpenSSH.aarch64-linux

Perl SSH client package implemented on top of OpenSSH

nixos-unstable ???
- nixpkgs-unstable 0.84

pkgs.perl540Packages.NetOpenSSH.x86_64-darwin

Perl SSH client package implemented on top of OpenSSH

nixos-unstable ???
- nixpkgs-unstable 0.84

pkgs.perl540Packages.NetOpenSSH.aarch64-darwin

Perl SSH client package implemented on top of OpenSSH

nixos-unstable ???
- nixpkgs-unstable 0.84

Package maintainers: 6

@dasJ Janne Heß <janne@hess.ooo>

@helsinki-Jo Joachim Ernst <joachim.ernst@helsinki-systems.de>

@Conni2461 Simon Hauser <simon-hauser@outlook.com>

@aneeshusa Aneesh Agrawal <aneeshusa@gmail.com>

@wahjava Ashish SHUKLA <ashish.is@lostca.se>

@romildo José Romildo Malaquias <malaquias@gmail.com>

CVE-2025-46443

4.9 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 4 months, 1 week ago

WordPress Animate <= 0.5 - Server Side Request Forgery (SSRF) Vulnerability

Server-Side Request Forgery (SSRF) vulnerability in Adam Pery Animate allows Server Side Request Forgery. This issue affects Animate: from n/a through 0.5.

animate

=<0.5

pkgs.vimPlugins.mini-animate

nixos-unstable 2024-12-01
- nixos-unstable-small 2024-12-01
- nixpkgs-unstable 2024-12-01

CVE-2025-46505

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

created 4 months, 1 week ago

WordPress Peekaboo <= 1.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in farinspace Peekaboo allows Stored XSS. This issue affects Peekaboo: from n/a through 1.1.

peekaboo

=<1.1

pkgs.vimPlugins.vim-peekaboo

nixos-unstable 2019-12-12
- nixos-unstable-small 2019-12-12
- nixpkgs-unstable 2019-12-12

pkgs.vimPlugins.vim-peekaboo.x86_64-linux

nixos-unstable ???
- nixos-unstable-small 2019-12-12

pkgs.vimPlugins.vim-peekaboo.aarch64-linux

nixos-unstable ???
- nixos-unstable-small 2019-12-12

pkgs.vimPlugins.vim-peekaboo.x86_64-darwin

nixos-unstable ???
- nixos-unstable-small 2019-12-12

pkgs.vimPlugins.vim-peekaboo.aarch64-darwin

nixos-unstable ???
- nixos-unstable-small 2019-12-12

CVE-2025-46421

6.8 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 4 months, 1 week ago

Libsoup: information disclosure may leads libsoup client sends authorization header to a different host when being redirected by a server

A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.

libsoup

*

<3.6.5

libsoup3

*

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable 3.6.0
- nixos-unstable-small 3.6.0
- nixpkgs-unstable 3.6.0

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable 2.74.3
- nixos-unstable-small 2.74.3
- nixpkgs-unstable 2.74.3

pkgs.libsoup_3.x86_64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_3.aarch64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_3.x86_64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_2_4.x86_64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.libsoup_3.aarch64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_2_4.aarch64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.libsoup_2_4.x86_64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.libsoup_2_4.aarch64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

nixos-unstable 2.4
- nixos-unstable-small 2.4
- nixpkgs-unstable 2.4

Package maintainers: 6

@jtojnar Jan Tojnar <jtojnar@gmail.com>

@bobby285271 Bobby Rong <rjl931189261@126.com>

@lovek323 Jason O'Conal <jason@oconal.id.au>

@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>

@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>

@7c6f434c Michael Raskin <7c6f434c@mail.ru>

CVE-2025-46399

7.1 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 4 months, 1 week ago

fig2dev segmentation fault in genge_itp_spline

Segmentation fault in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via genge_itp_spline function.

xfig

=<3.2.9a

fig2dev

==3.2.9a

transfig

pkgs.fig2dev

Tool to convert Xfig files to other formats

nixos-unstable 3.2.9
- nixos-unstable-small 3.2.9
- nixpkgs-unstable 3.2.9

Package maintainers: 1

@LeSuisse Thomas Gerbet <thomas@gerbet.me>

CVE-2025-46400

7.1 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 4 months, 1 week ago

fig2dev segmentation fault in read_arcobject

Segmentation fault in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via read_arcobject function.

xfig

=<3.2.9a

fig2dev

==3.2.9a

transfig

pkgs.fig2dev

Tool to convert Xfig files to other formats

nixos-unstable 3.2.9
- nixos-unstable-small 3.2.9
- nixpkgs-unstable 3.2.9

Package maintainers: 1

@LeSuisse Thomas Gerbet <thomas@gerbet.me>

CVE-2025-46397

7.1 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 4 months, 1 week ago

fig2dev stack-overflow

Stack-overflow in fig2dev in version 3.2.9a allows an attacker possible code execution via local input manipulation via bezier_spline function.

xfig

=<3.2.9a

fig2dev

==3.2.9a

transfig

pkgs.fig2dev

Tool to convert Xfig files to other formats

nixos-unstable 3.2.9
- nixos-unstable-small 3.2.9
- nixpkgs-unstable 3.2.9

Package maintainers: 1

@LeSuisse Thomas Gerbet <thomas@gerbet.me>

Automatically generated suggestions

pkgs.libsoup_3

pkgs.libsoup_2_4

pkgs.libsoup_3.x86_64-linux

pkgs.libsoup_3.aarch64-linux

pkgs.libsoup_3.x86_64-darwin

pkgs.libsoup_2_4.x86_64-linux

pkgs.libsoup_3.aarch64-darwin

pkgs.libsoup_2_4.aarch64-linux

pkgs.libsoup_2_4.x86_64-darwin

pkgs.libsoup_2_4.aarch64-darwin

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

pkgs.python311Packages.cirq-google

pkgs.python312Packages.cirq-google

pkgs.moodle

pkgs.moodle-dl

pkgs.openssh

pkgs.opensshTest

pkgs.openssh_hpn

pkgs.openssh_gssapi

pkgs.opensshWithKerberos

pkgs.openssh_hpnWithKerberos

pkgs.lxqt.lxqt-openssh-askpass

pkgs.perl538Packages.NetOpenSSH

pkgs.perl540Packages.NetOpenSSH

pkgs.perl540Packages.NetOpenSSH.x86_64-linux

pkgs.perl540Packages.NetOpenSSH.aarch64-linux

pkgs.perl540Packages.NetOpenSSH.x86_64-darwin

pkgs.perl540Packages.NetOpenSSH.aarch64-darwin

pkgs.vimPlugins.mini-animate

pkgs.vimPlugins.vim-peekaboo

pkgs.vimPlugins.vim-peekaboo.x86_64-linux

pkgs.vimPlugins.vim-peekaboo.aarch64-linux

pkgs.vimPlugins.vim-peekaboo.x86_64-darwin

pkgs.vimPlugins.vim-peekaboo.aarch64-darwin

pkgs.libsoup_3

pkgs.libsoup_2_4

pkgs.libsoup_3.x86_64-linux

pkgs.libsoup_3.aarch64-linux

pkgs.libsoup_3.x86_64-darwin

pkgs.libsoup_2_4.x86_64-linux

pkgs.libsoup_3.aarch64-darwin

pkgs.libsoup_2_4.aarch64-linux

pkgs.libsoup_2_4.x86_64-darwin

pkgs.libsoup_2_4.aarch64-darwin

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

pkgs.fig2dev

pkgs.fig2dev

pkgs.fig2dev