Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2025-47441
created 4 months ago
WordPress Progress Bar <= 2.2.3 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Reynolds Progress Bar allows Stored XSS. This issue affects Progress Bar: from n/a through 2.2.3.

Affected products

progress-bar
  • =<2.2.3

Matching in nixpkgs

pkgs.haskellPackages.terminal-progress-bar

A progress bar in the terminal

  • nixos-unstable -
CVE-2024-12225
created 4 months ago
Io.quarkus:quarkus-security-webauthn: quarkus webauthn unexpected authentication bypass

A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default endpoints remain accessible, potentially allowing attackers to obtain a login cookie that has no corresponding user in the Quarkus application or, depending on how the application is written, could correspond to an existing user that has no relation with the current attacker, allowing anyone to log in as an existing user by just knowing that user's user name.

Affected products

quarkus
  • <3.15.3.1
io.quarkus:quarkus-security-webauthn

Matching in nixpkgs

pkgs.quarkus

Kubernetes-native Java framework tailored for GraalVM and HotSpot, crafted from best-of-breed Java libraries and standards

  • nixos-unstable -

Package maintainers: 1

CVE-2025-4373
created 4 months ago
Glib: buffer underflow on glib through glib/gstring.c via function g_string_insert_unichar

A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.

Affected products

glib
  • <2.84.2
bootc
glib2
  • *
loupe
librsvg2
mingw-glib2
glycin-loaders
rhosdt/jaeger-agent-rhel8
  • *
rhosdt/jaeger-query-rhel8
  • *
rhosdt/jaeger-ingester-rhel8
  • *
rhosdt/jaeger-rhel8-operator
  • *
rhosdt/jaeger-collector-rhel8
  • *
rhosdt/jaeger-operator-bundle
  • *
rhosdt/jaeger-all-in-one-rhel8
  • *
rhosdt/jaeger-es-rollover-rhel8
  • *
rhosdt/jaeger-es-index-cleaner-rhel8
  • *
registry.redhat.io/rhosdt/jaeger-agent-rhel8
  • *
registry.redhat.io/rhosdt/jaeger-query-rhel8
  • *
insights-proxy/insights-proxy-container-rhel9
  • *
registry.redhat.io/rhosdt/jaeger-ingester-rhel8
  • *
registry.redhat.io/rhosdt/jaeger-rhel8-operator
  • *
registry.redhat.io/rhosdt/jaeger-collector-rhel8
  • *
registry.redhat.io/rhosdt/jaeger-operator-bundle
  • *
registry.redhat.io/rhosdt/jaeger-all-in-one-rhel8
  • *
registry.redhat.io/rhosdt/jaeger-es-rollover-rhel8
  • *
registry.redhat.io/rhosdt/jaeger-es-index-cleaner-rhel8
  • *
registry.redhat.io/insights-proxy/insights-proxy-container-rhel9
  • *

Matching in nixpkgs

pkgs.bootc

Boot and upgrade via container images

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.mlxbf-bootctl

Control BlueField boot partitions

pkgs.systemd-bootchart

Boot performance graphing tool from systemd

  • nixos-unstable -

pkgs.rubyPackages.glib2

pkgs.rubyPackages_3_1.glib2

pkgs.rubyPackages_3_2.glib2

pkgs.rubyPackages_3_3.glib2

pkgs.rubyPackages_3_4.glib2

Package maintainers: 5

CVE-2024-58135
created 4 months ago
Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets

Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

Affected products

Mojolicious
  • =<9.40
  • =<9.39
  • =<*

Matching in nixpkgs

pkgs.perlPackages.Mojolicious

Real-time web framework

  • nixos-unstable -

pkgs.perl538Packages.Mojolicious

Real-time web framework

  • nixos-unstable -

pkgs.perl540Packages.Mojolicious

Real-time web framework

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginI18N

Internationalization Plugin for Mojolicious

pkgs.perlPackages.MojoliciousPluginMail

Mojolicious Plugin for send mail

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginStatus

Mojolicious server status

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginSyslog

Plugin for enabling a Mojolicious app to log to syslog

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginI18N

Internationalization Plugin for Mojolicious

pkgs.perl538Packages.MojoliciousPluginMail

Mojolicious Plugin for send mail

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginI18N

Internationalization Plugin for Mojolicious

pkgs.perl540Packages.MojoliciousPluginMail

Mojolicious Plugin for send mail

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginGravatar

Globally Recognized Avatars for Mojolicious

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginStatus

Mojolicious server status

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginSyslog

Plugin for enabling a Mojolicious app to log to syslog

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginStatus

Mojolicious server status

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginSyslog

Plugin for enabling a Mojolicious app to log to syslog

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginAssetPack

Compress and convert css, less, sass, javascript and coffeescript files

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginRenderFile

"render_file" helper for Mojolicious

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginGravatar

Globally Recognized Avatars for Mojolicious

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginGravatar

Globally Recognized Avatars for Mojolicious

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginAssetPack

Compress and convert css, less, sass, javascript and coffeescript files

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginAssetPack

Compress and convert css, less, sass, javascript and coffeescript files

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginRenderFile

"render_file" helper for Mojolicious

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginRenderFile

"render_file" helper for Mojolicious

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginTextExceptions

Render exceptions as text in command line user agents

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginTemplateToolkit

Template Toolkit renderer plugin for Mojolicious

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginTextExceptions

Render exceptions as text in command line user agents

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginTextExceptions

Render exceptions as text in command line user agents

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginTemplateToolkit

Template Toolkit renderer plugin for Mojolicious

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginTemplateToolkit

Template Toolkit renderer plugin for Mojolicious

  • nixos-unstable -

Package maintainers: 4

CVE-2024-58134
created 4 months ago
Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default

Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

Affected products

Mojolicious
  • =<9.40
  • =<9.39
  • =<*

Matching in nixpkgs

pkgs.perlPackages.Mojolicious

Real-time web framework

  • nixos-unstable -

pkgs.perl538Packages.Mojolicious

Real-time web framework

  • nixos-unstable -

pkgs.perl540Packages.Mojolicious

Real-time web framework

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginI18N

Internationalization Plugin for Mojolicious

pkgs.perlPackages.MojoliciousPluginMail

Mojolicious Plugin for send mail

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginStatus

Mojolicious server status

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginSyslog

Plugin for enabling a Mojolicious app to log to syslog

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginI18N

Internationalization Plugin for Mojolicious

pkgs.perl538Packages.MojoliciousPluginMail

Mojolicious Plugin for send mail

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginI18N

Internationalization Plugin for Mojolicious

pkgs.perl540Packages.MojoliciousPluginMail

Mojolicious Plugin for send mail

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginGravatar

Globally Recognized Avatars for Mojolicious

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginStatus

Mojolicious server status

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginSyslog

Plugin for enabling a Mojolicious app to log to syslog

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginStatus

Mojolicious server status

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginSyslog

Plugin for enabling a Mojolicious app to log to syslog

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginAssetPack

Compress and convert css, less, sass, javascript and coffeescript files

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginRenderFile

"render_file" helper for Mojolicious

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginGravatar

Globally Recognized Avatars for Mojolicious

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginGravatar

Globally Recognized Avatars for Mojolicious

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginAssetPack

Compress and convert css, less, sass, javascript and coffeescript files

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginAssetPack

Compress and convert css, less, sass, javascript and coffeescript files

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginRenderFile

"render_file" helper for Mojolicious

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginRenderFile

"render_file" helper for Mojolicious

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginTextExceptions

Render exceptions as text in command line user agents

  • nixos-unstable -

pkgs.perlPackages.MojoliciousPluginTemplateToolkit

Template Toolkit renderer plugin for Mojolicious

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginTextExceptions

Render exceptions as text in command line user agents

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginTextExceptions

Render exceptions as text in command line user agents

  • nixos-unstable -

pkgs.perl538Packages.MojoliciousPluginTemplateToolkit

Template Toolkit renderer plugin for Mojolicious

  • nixos-unstable -

pkgs.perl540Packages.MojoliciousPluginTemplateToolkit

Template Toolkit renderer plugin for Mojolicious

  • nixos-unstable -

Package maintainers: 4

CVE-2025-47153
created 4 months ago
Certain build processes for libuv and Node.js for 32-bit systems, …

Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFSET_BITS=64 for the libuv dynamic library, but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs), leading to out-of-bounds access. NOTE: this is not a problem in the Node.js software itself. In particular, the Node.js website's download page does not offer prebuilt Node.js for Linux on i386.

Affected products

nodejs
  • =<nodejs_20.19.0+dfsg-2_i386.deb

Matching in nixpkgs

pkgs.nodejs_20

Event-driven I/O framework for the V8 JavaScript engine

pkgs.nodejs_22

Event-driven I/O framework for the V8 JavaScript engine

pkgs.corepack_20

Wrappers for npm, pnpm and Yarn via Node.js Corepack

pkgs.corepack_22

Wrappers for npm, pnpm and Yarn via Node.js Corepack

pkgs.nodejs_latest

Event-driven I/O framework for the V8 JavaScript engine

  • nixos-unstable -

pkgs.nodejs-slim_20

Event-driven I/O framework for the V8 JavaScript engine

pkgs.nodejs-slim_22

Event-driven I/O framework for the V8 JavaScript engine

pkgs.corepack_latest

Wrappers for npm, pnpm and Yarn via Node.js Corepack

  • nixos-unstable -

pkgs.elmPackages.nodejs

Event-driven I/O framework for the V8 JavaScript engine

pkgs.nodejs-slim_latest

Event-driven I/O framework for the V8 JavaScript engine

  • nixos-unstable -

pkgs.nodePackages.nodejs

Event-driven I/O framework for the V8 JavaScript engine

pkgs.nodejsInstallManuals

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.haxePackages.hxnodejs_4

Extern definitions for node.js 4.x

  • nixos-unstable -

pkgs.haxePackages.hxnodejs_6

Extern definitions for node.js 6.9

  • nixos-unstable -

pkgs.matrix-sdk-crypto-nodejs

No-network-IO implementation of a state machine that handles E2EE for Matrix clients

pkgs.nodejsInstallExecutables

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.nodePackages_latest.nodejs

Event-driven I/O framework for the V8 JavaScript engine

  • nixos-unstable -

pkgs.graalvmPackages.graalnodejs

High-Performance Polyglot VM (Product: graalnodejs)

  • nixos-unstable -

pkgs.pulumiPackages.pulumi-nodejs

Language host for Pulumi programs written in TypeScript & JavaScript (Node.js)

pkgs.python312Packages.hatch-nodejs-version

Plugins for dealing with NodeJS versions

  • nixos-unstable -

pkgs.python313Packages.hatch-nodejs-version

Plugins for dealing with NodeJS versions

  • nixos-unstable -

Package maintainers: 10

CVE-2025-3501
created 4 months ago
Org.keycloak.protocol.services: keycloak hostname verification

A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

Affected products

keycloak
  • <26.0.11
  • <26.2.2
  • <25.*
  • <26.1.*
rh-sso7-keycloak
rhbk/keycloak-rhel9
  • *
keycloak-rhel9-container
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
keycloak-rhel9-operator-container
  • *
keycloak-rhel9-operator-bundle-container
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

  • nixos-unstable -

pkgs.terraform-providers.keycloak

  • nixos-unstable -

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

  • nixos-unstable -

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

  • nixos-unstable -

Package maintainers: 4

CVE-2025-30194
created 4 months ago
Denial of service via crafted DoH exchange

When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.9 version. A workaround is to temporarily switch to the h2o provider until DNSdist has been upgraded to a fixed version. We would like to thank Charles Howes for bringing this issue to our attention.

Affected products

dnsdist
  • <1.9.9

Matching in nixpkgs

pkgs.dnsdist

DNS Loadbalancer

  • nixos-unstable -

Package maintainers: 1

CVE-2025-4035
created 4 months ago
Libsoup: cookie domain validation bypass via uppercase characters in libsoup

A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.

Affected products

libsoup
libsoup3
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

  • nixos-unstable -

pkgs.libsoup_2_4

HTTP client/server library for GNOME

  • nixos-unstable -

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

  • nixos-unstable -
    • nixpkgs-unstable

Package maintainers: 6

CVE-2025-3647
created 4 months ago
Moodle: idor when accessing the cohorts report

A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.

Affected products

moodle
  • <4.5.4
  • <4.4.8
  • <4.1.18
  • <4.3.12

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

  • nixos-unstable -

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

  • nixos-unstable -

Package maintainers: 2