Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2025-32910
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months, 3 weeks ago
Libsoup: null pointer deference on libsoup via /auth/soup-auth-digest.c through "soup_auth_digest_authenticate" on client when server omits the "realm" parameter in an unauthorized response with digest authentication

A flaw was found in libsoup, where soup_auth_digest_authenticate() is vulnerable to a NULL pointer dereference. This issue may cause the libsoup client to crash.

Affected products

libsoup
  • <3.6.3
libsoup3
mingw-freetype
  • *
spice-client-win
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

pkgs.libsoup_2_4

HTTP client/server library for GNOME

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

  • nixos-unstable ???
    • nixpkgs-unstable

Package maintainers: 6

CVE-2025-32907
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months, 3 weeks ago
Libsoup: denial of service in server when client requests a large amount of overlapping ranges with range header

A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory.

Affected products

libsoup
  • <3.6.5
  • *
libsoup3
  • *
mingw-freetype
  • *
spice-client-win
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

pkgs.libsoup_2_4

HTTP client/server library for GNOME

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

  • nixos-unstable ???
    • nixpkgs-unstable

Package maintainers: 6

CVE-2025-32913
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months, 3 weeks ago
Libsoup: null pointer dereference in soup_message_headers_get_content_disposition when "filename" parameter is present, but has no value in content-disposition header

A flaw was found in libsoup, where the soup_message_headers_get_content_disposition() function is vulnerable to a NULL pointer dereference. This flaw allows a malicious HTTP peer to crash a libsoup client or server that uses this function.

Affected products

libsoup
  • <3.6.2
  • *
libsoup3
mingw-freetype
  • *
spice-client-win
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

pkgs.libsoup_2_4

HTTP client/server library for GNOME

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

  • nixos-unstable ???
    • nixpkgs-unstable

Package maintainers: 6

CVE-2025-31344
7.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
created 2 months, 3 weeks ago
The giflib open-source component has a buffer overflow vulnerability

Heap-based Buffer Overflow vulnerability in openEuler giflib on Linux. This vulnerability is associated with program files gif2rgb.C. This issue affects giflib: through 5.2.2.

Affected products

giflib
  • =<5.2.2

Matching in nixpkgs

pkgs.giflib

Library for reading and writing gif images

CVE-2025-32908
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months, 3 weeks ago
Libsoup: denial of service on libsoup through http/2 server

A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which may allow a user to cause a denial of service (DoS).

Affected products

libsoup
  • <3.6.5
libsoup3
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

pkgs.libsoup_2_4

HTTP client/server library for GNOME

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

  • nixos-unstable ???
    • nixpkgs-unstable

Package maintainers: 6

CVE-2025-2814
4.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 2 months, 3 weeks ago
Crypt::CBC versions between 1.21 and 3.04 for Perl may use insecure rand() function for cryptographic functions

Crypt::CBC versions between 1.21 and 3.04 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable.  In that case, Crypt::CBC will fallback to use the insecure rand() function.

Affected products

Crypt-CBC
  • =<3.05
  • =<3.04

Matching in nixpkgs

pkgs.perlPackages.CryptCBC

Encrypt Data with Cipher Block Chaining Mode

pkgs.perl538Packages.CryptCBC

Encrypt Data with Cipher Block Chaining Mode

pkgs.perl540Packages.CryptCBC

Encrypt Data with Cipher Block Chaining Mode

CVE-2025-32589
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months, 3 weeks ago
WordPress Flexi – Guest Submit Plugin <= 4.28 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in odude Flexi – Guest Submit allows PHP Local File Inclusion. This issue affects Flexi – Guest Submit: from n/a through 4.28.

Affected products

flexi
  • =<4.28

Matching in nixpkgs

pkgs.flexibee

Client for an accouting economic system

pkgs.python312Packages.pyflexit

Python library for Flexit A/C units

pkgs.python313Packages.pyflexit

Python library for Flexit A/C units

pkgs.haskellPackages.flexible-unlit

A configurable reimplementation of unlit

pkgs.python312Packages.flexit-bacnet

Client BACnet library for Flexit Nordic series of air handling units

pkgs.python313Packages.flexit-bacnet

Client BACnet library for Flexit Nordic series of air handling units

pkgs.haskellPackages.flexible-defaults

Generate default function implementations for complex type classes

pkgs.terraform-providers.flexibleengine

pkgs.haskellPackages.flexible-numeric-parsers

Flexible numeric parsers for real-world programming languages

pkgs.home-assistant-component-tests.flexit_bacnet

Open source home automation that puts local control and privacy first

pkgs.python312Packages.azure-mgmt-mysqlflexibleservers

Microsoft Azure Mysqlflexibleservers Management Client Library for Python

pkgs.python313Packages.azure-mgmt-mysqlflexibleservers

Microsoft Azure Mysqlflexibleservers Management Client Library for Python

pkgs.python312Packages.azure-mgmt-postgresqlflexibleservers

Microsoft Azure Postgresqlflexibleservers Management Client Library for Python

pkgs.python313Packages.azure-mgmt-postgresqlflexibleservers

Microsoft Azure Postgresqlflexibleservers Management Client Library for Python

pkgs.tests.stdenv.hooks.no-broken-symlinks.fail-reflexive-symlink-absolute

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.stdenv.hooks.no-broken-symlinks.fail-reflexive-symlink-relative

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.stdenv.hooks.no-broken-symlinks.pass-reflexive-symlink-absolute-allowed

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.stdenv.hooks.no-broken-symlinks.pass-reflexive-symlink-relative-allowed

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.hooks.default-stdenv-hooks.no-broken-symlinks.fail-reflexive-symlink-absolute

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.hooks.default-stdenv-hooks.no-broken-symlinks.fail-reflexive-symlink-relative

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.hooks.default-stdenv-hooks.no-broken-symlinks.pass-reflexive-symlink-absolute-allowed

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.hooks.default-stdenv-hooks.no-broken-symlinks.pass-reflexive-symlink-relative-allowed

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.stdenv.structuredAttrsByDefault.hooks.no-broken-symlinks.fail-reflexive-symlink-absolute

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.stdenv.structuredAttrsByDefault.hooks.no-broken-symlinks.fail-reflexive-symlink-relative

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.stdenv.structuredAttrsByDefault.hooks.no-broken-symlinks.pass-reflexive-symlink-absolute-allowed

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.stdenv.structuredAttrsByDefault.hooks.no-broken-symlinks.pass-reflexive-symlink-relative-allowed

  • nixos-unstable ???
    • nixpkgs-unstable

Package maintainers: 9

CVE-2025-1386
created 2 months, 3 weeks ago
Query smuggling in ch-go library

When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream.

Affected products

ch-go
  • <0.65.0

Matching in nixpkgs

pkgs.immich-go

Immich client tool for bulk-uploads

Package maintainers: 1

CVE-2025-32618
8.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 2 months, 3 weeks ago
WordPress Wishlist plugin <= 1.0.43 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PickPlugins Wishlist allows SQL Injection. This issue affects Wishlist: from n/a through 1.0.43.

Affected products

wishlist
  • =<1.0.43

Matching in nixpkgs

pkgs.wishlist

Single entrypoint for multiple SSH endpoints

Package maintainers: 2

CVE-2025-32230
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 2 months, 3 weeks ago
WordPress Tutor LMS plugin <= 3.4.0 - HTML Injection vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Themeum Tutor LMS. This issue affects Tutor LMS: from n/a through 3.4.0.

Affected products

tutor
  • =<3.4.0

Matching in nixpkgs

pkgs.typstPackages.tutor_0_3_0

Utilities to create exams

pkgs.typstPackages.tutor_0_4_0

Utilities to create exams

pkgs.typstPackages.tutor_0_6_1

Utilities to create exams

pkgs.typstPackages.tutor_0_7_0

Utilities to create exams

pkgs.typstPackages.tutor_0_8_0

Utilities to create exams

pkgs.haskellPackages.timeless-tutorials

Initial project template from stack

Package maintainers: 1