Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2025-47153
created 4 months ago
Certain build processes for libuv and Node.js for 32-bit systems, …

Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFSET_BITS=64 for the libuv dynamic library, but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs), leading to out-of-bounds access. NOTE: this is not a problem in the Node.js software itself. In particular, the Node.js website's download page does not offer prebuilt Node.js for Linux on i386.

Affected products

nodejs
  • =<nodejs_20.19.0+dfsg-2_i386.deb

Matching in nixpkgs

pkgs.nodejs_20

Event-driven I/O framework for the V8 JavaScript engine

pkgs.nodejs_22

Event-driven I/O framework for the V8 JavaScript engine

pkgs.corepack_20

Wrappers for npm, pnpm and Yarn via Node.js Corepack

pkgs.corepack_22

Wrappers for npm, pnpm and Yarn via Node.js Corepack

pkgs.nodejs_latest

Event-driven I/O framework for the V8 JavaScript engine

  • nixos-unstable -

pkgs.nodejs-slim_20

Event-driven I/O framework for the V8 JavaScript engine

pkgs.nodejs-slim_22

Event-driven I/O framework for the V8 JavaScript engine

pkgs.corepack_latest

Wrappers for npm, pnpm and Yarn via Node.js Corepack

  • nixos-unstable -

pkgs.elmPackages.nodejs

Event-driven I/O framework for the V8 JavaScript engine

pkgs.nodejs-slim_latest

Event-driven I/O framework for the V8 JavaScript engine

  • nixos-unstable -

pkgs.nodePackages.nodejs

Event-driven I/O framework for the V8 JavaScript engine

pkgs.nodejsInstallManuals

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.haxePackages.hxnodejs_4

Extern definitions for node.js 4.x

  • nixos-unstable -

pkgs.haxePackages.hxnodejs_6

Extern definitions for node.js 6.9

  • nixos-unstable -

pkgs.matrix-sdk-crypto-nodejs

No-network-IO implementation of a state machine that handles E2EE for Matrix clients

pkgs.nodejsInstallExecutables

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.nodePackages_latest.nodejs

Event-driven I/O framework for the V8 JavaScript engine

  • nixos-unstable -

pkgs.graalvmPackages.graalnodejs

High-Performance Polyglot VM (Product: graalnodejs)

  • nixos-unstable -

pkgs.pulumiPackages.pulumi-nodejs

Language host for Pulumi programs written in TypeScript & JavaScript (Node.js)

pkgs.python312Packages.hatch-nodejs-version

Plugins for dealing with NodeJS versions

  • nixos-unstable -

pkgs.python313Packages.hatch-nodejs-version

Plugins for dealing with NodeJS versions

  • nixos-unstable -

Package maintainers: 10

CVE-2025-3501
created 4 months ago
Org.keycloak.protocol.services: keycloak hostname verification

A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

Affected products

keycloak
  • <26.0.11
  • <26.2.2
  • <25.*
  • <26.1.*
rh-sso7-keycloak
rhbk/keycloak-rhel9
  • *
keycloak-rhel9-container
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
keycloak-rhel9-operator-container
  • *
keycloak-rhel9-operator-bundle-container
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

  • nixos-unstable -

pkgs.terraform-providers.keycloak

  • nixos-unstable -

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

  • nixos-unstable -

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

  • nixos-unstable -

Package maintainers: 4

CVE-2025-30194
created 4 months ago
Denial of service via crafted DoH exchange

When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.9 version. A workaround is to temporarily switch to the h2o provider until DNSdist has been upgraded to a fixed version. We would like to thank Charles Howes for bringing this issue to our attention.

Affected products

dnsdist
  • <1.9.9

Matching in nixpkgs

pkgs.dnsdist

DNS Loadbalancer

  • nixos-unstable -

Package maintainers: 1

CVE-2025-4035
created 4 months ago
Libsoup: cookie domain validation bypass via uppercase characters in libsoup

A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.

Affected products

libsoup
libsoup3
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

  • nixos-unstable -

pkgs.libsoup_2_4

HTTP client/server library for GNOME

  • nixos-unstable -

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

  • nixos-unstable -
    • nixpkgs-unstable

Package maintainers: 6

CVE-2025-3647
created 4 months ago
Moodle: idor when accessing the cohorts report

A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.

Affected products

moodle
  • <4.5.4
  • <4.4.8
  • <4.1.18
  • <4.3.12

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

  • nixos-unstable -

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

  • nixos-unstable -

Package maintainers: 2

CVE-2025-3637
created 4 months ago
Moodle: csrf token exposure via url in moodle mod_data module

A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.

Affected products

moodle
  • <4.3.12
  • <4.4.8
  • <4.1.18
  • <4.5.4

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

  • nixos-unstable -

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

  • nixos-unstable -

Package maintainers: 2

CVE-2025-3645
created 4 months ago
Moodle: idor in messaging web service allows access to some user details

A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.

Affected products

moodle
  • <4.1.18
  • <4.4.8
  • <4.3.12
  • <4.5.4

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

  • nixos-unstable -

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

  • nixos-unstable -

Package maintainers: 2

CVE-2025-3636
created 4 months ago
Moodle: idor in moodle rss block allows unauthorized access to rss feeds

A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks.

Affected products

moodle
  • <4.5.4
  • <4.4.8
  • <4.1.18
  • <4.3.12

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

  • nixos-unstable -

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

  • nixos-unstable -

Package maintainers: 2

CVE-2025-3634
created 4 months ago
Moodle: moodle allows course self-enrolment before completing mfa

A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes.

Affected products

moodle
  • <4.3.12
  • <4.4.8
  • <4.5.4

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

  • nixos-unstable -

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

  • nixos-unstable -

Package maintainers: 2

CVE-2025-3627
created 4 months ago
Moodle: partial data exposure in moodle before completing multi-factor authentication

A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA).

Affected products

moodle
  • <4.3.12
  • <4.4.8
  • <4.5.4

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

  • nixos-unstable -

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

  • nixos-unstable -

Package maintainers: 2