Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2025-5372
created 4 months, 1 week ago
Libssh: incorrect return code handling in ssh_kdf() in libssh

A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.

Affected products

rhcos
libssh
  • <0.11.2
  • *
libssh2

Matching in nixpkgs

pkgs.libssh

SSH client library

  • nixos-unstable -

pkgs.libssh2

Client-side C library implementing the SSH2 protocol

  • nixos-unstable -

pkgs.haskellPackages.libssh

libssh bindings

pkgs.python312Packages.ansible-pylibssh

Python bindings to client functionality of libssh specific to Ansible use case

  • nixos-unstable -

pkgs.python313Packages.ansible-pylibssh

Python bindings to client functionality of libssh specific to Ansible use case

  • nixos-unstable -

pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2

Test whether libssh2-1.11.1 exposes pkg-config modules libssh2

Package maintainers: 3

CVE-2025-52816
created 4 months, 1 week ago
WordPress Zita theme <= 1.6.5 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita allows PHP Local File Inclusion. This issue affects Zita: from n/a through 1.6.5.

Affected products

zita
  • =<1.6.5

Matching in nixpkgs

pkgs.zitadel

Identity and access management platform

  • nixos-unstable -

pkgs.zita-at1

Autotuner Jack application to correct the pitch of vocal tracks

pkgs.zita-ajbridge

Connect additional ALSA devices to JACK

  • nixos-unstable -

pkgs.zita-njbridge

Command line Jack clients to transmit full quality multichannel audio over a local IP network

  • nixos-unstable -

pkgs.zitadel-tools

Helper tools for zitadel

  • nixos-unstable -

pkgs.zita-alsa-pcmi

Successor of clalsadrv, provides easy access to ALSA PCM devices

  • nixos-unstable -

pkgs.zita-convolver

Convolution library by Fons Adriaensen

  • nixos-unstable -

pkgs.zita-resampler

Resample library by Fons Adriaensen

  • nixos-unstable -

Package maintainers: 3

CVE-2025-53331
created 4 months, 1 week ago
WordPress RSS Digest plugin <= 1.5 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in samcharrington RSS Digest allows Stored XSS. This issue affects RSS Digest: from n/a through 1.5.

Affected products

rss-digest
  • =<1.5

Matching in nixpkgs

pkgs.matcha-rss-digest

Daily digest generator from a list of RSS feeds

  • nixos-unstable -

Package maintainers: 1

CVE-2024-6174
created 4 months, 1 week ago
When a non-x86 platform is detected, cloud-init grants root access …

When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.

Affected products

cloud-init
  • <25.1.3

Matching in nixpkgs

pkgs.cloud-init

Provides configuration and customization of cloud instance

  • nixos-unstable -

Package maintainers: 2

CVE-2024-11584
created 4 months, 1 week ago
cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with …

cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.

Affected products

cloud-init
  • <25.1.3

Matching in nixpkgs

pkgs.cloud-init

Provides configuration and customization of cloud instance

  • nixos-unstable -

Package maintainers: 2

CVE-2025-5318
created 4 months, 1 week ago
Libssh: out-of-bounds read in sftp_handle()

A flaw was found in the libssh library. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.

Affected products

rhcos
  • *
libssh
  • <0.11.2
  • *
rhosdt/tempo-rhel8
  • *
rhaiis/vllm-cuda-rhel9
  • *
rhaiis/vllm-rocm-rhel9
  • *
rhosdt/tempo-query-rhel8
  • *
rhosdt/tempo-gateway-rhel8
  • *
rhaiis/model-opt-cuda-rhel9
  • *
rhosdt/tempo-rhel8-operator
  • *
rhosdt/tempo-gateway-opa-rhel8
  • *
rhosdt/tempo-jaeger-query-rhel8
  • *

Matching in nixpkgs

pkgs.libssh

SSH client library

  • nixos-unstable -

pkgs.libssh2

Client-side C library implementing the SSH2 protocol

  • nixos-unstable -

pkgs.haskellPackages.libssh

libssh bindings

pkgs.python312Packages.ansible-pylibssh

Python bindings to client functionality of libssh specific to Ansible use case

  • nixos-unstable -

pkgs.python313Packages.ansible-pylibssh

Python bindings to client functionality of libssh specific to Ansible use case

  • nixos-unstable -

pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2

Test whether libssh2-1.11.1 exposes pkg-config modules libssh2

Package maintainers: 3

CVE-2025-6032
created 4 months, 1 week ago
Podman: podman missing tls verification

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

Affected products

rhcos
  • *
podman
  • <5.5.2
  • *
container-tools:rhel8
  • *
container-tools:rhel8/podman

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

  • nixos-unstable -

pkgs.podman-tui

Podman Terminal UI

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.podman-compose

Implementation of docker-compose with podman backend

  • nixos-unstable -

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

  • nixos-unstable -

pkgs.nomad-driver-podman

Podman task driver for Nomad

  • nixos-unstable -

pkgs.python312Packages.podman

Python bindings for Podman's RESTful API

  • nixos-unstable -

pkgs.python313Packages.podman

Python bindings for Podman's RESTful API

  • nixos-unstable -

Package maintainers: 8

CVE-2025-6547
created 4 months, 1 week ago
On Node.js < 3, pbkdf2 silently disregards Uint8Array input, returning static keys

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.

Affected products

pbkdf2
  • ==<=3.1.2

Matching in nixpkgs

pkgs.fastpbkdf2

Fast PBKDF2-HMAC-{SHA1,SHA256,SHA512} implementation in C

  • nixos-unstable -

pkgs.python312Packages.pbkdf2

pkgs.python313Packages.pbkdf2

pkgs.python312Packages.fastpbkdf2

Python bindings for fastpbkdf2

pkgs.python313Packages.fastpbkdf2

Python bindings for fastpbkdf2

pkgs.chickenPackages_5.chickenEggs.pbkdf2

Password-Based Key Derivation Function as defined in RFC2898

Package maintainers: 2

CVE-2025-6545
created 4 months, 1 week ago
pbkdf2 silently returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos supported by Node.js

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2.

Affected products

pbkdf2
  • =<3.1.2

Matching in nixpkgs

pkgs.fastpbkdf2

Fast PBKDF2-HMAC-{SHA1,SHA256,SHA512} implementation in C

  • nixos-unstable -

pkgs.python312Packages.pbkdf2

pkgs.python313Packages.pbkdf2

pkgs.python312Packages.fastpbkdf2

Python bindings for fastpbkdf2

pkgs.python313Packages.fastpbkdf2

Python bindings for fastpbkdf2

pkgs.chickenPackages_5.chickenEggs.pbkdf2

Password-Based Key Derivation Function as defined in RFC2898

Package maintainers: 2

CVE-2025-5416
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months, 1 week ago
  • @LeSuisse removed
    3 packages
    • terraform-providers.keycloak
    • python312Packages.python-keycloak
    • python313Packages.python-keycloak
    2 months, 3 weeks ago
Keycloak-core: keycloak environment information

A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

Affected products

keycloak

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

  • nixos-unstable -

Package maintainers: 4