Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2025-23386
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months, 4 weeks ago
gerbera: Privilege escalation from user gerbera to root because of insecure %post script

A Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed package gerbera allows the service user gerbera to escalate to root.,This issue affects gerbera on openSUSE Tumbleweed before 2.5.0-1.1.

Affected products

gerbera
  • <2.5.0-1.1

Matching in nixpkgs

pkgs.gerbera

UPnP Media Server for 2024

Package maintainers: 1

CVE-2025-32584
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 2 months, 4 weeks ago
WordPress Chat2 plugin <= 3.6.3 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Chat2 Chat2 allows Cross Site Request Forgery. This issue affects Chat2: from n/a through 3.6.3.

Affected products

chat2
  • =<3.6.3

Matching in nixpkgs

pkgs.python312Packages.deltachat2

Client library for Delta Chat core JSON-RPC interface

pkgs.python313Packages.deltachat2

Client library for Delta Chat core JSON-RPC interface

Package maintainers: 1

CVE-2025-31003
2.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 2 months, 4 weeks ago
WordPress Squeeze plugin <= 1.6 - Full Path Disclosure (FPD) vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Bogdan Bendziukov Squeeze allows Retrieve Embedded Sensitive Data. This issue affects Squeeze: from n/a through 1.6.

Affected products

squeeze
  • =<1.6

Matching in nixpkgs

pkgs.squeezelite

Lightweight headless squeezebox client emulator

pkgs.squeezelite-pulse

Lightweight headless squeezebox client emulator

pkgs.postgresqlPackages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.python312Packages.pysqueezebox

Asynchronous library to control Logitech Media Server

pkgs.python313Packages.pysqueezebox

Asynchronous library to control Logitech Media Server

pkgs.postgresql13Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.postgresql14Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.postgresql15Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.postgresql16Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.postgresql18Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.home-assistant-component-tests.squeezebox

Open source home automation that puts local control and privacy first

Package maintainers: 5

CVE-2025-31002
9.1 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months, 4 weeks ago
WordPress Squeeze plugin <= 1.6 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Using Malicious Files. This issue affects Squeeze: from n/a through 1.6.

Affected products

squeeze
  • =<1.6

Matching in nixpkgs

pkgs.squeezelite

Lightweight headless squeezebox client emulator

pkgs.squeezelite-pulse

Lightweight headless squeezebox client emulator

pkgs.postgresqlPackages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.python312Packages.pysqueezebox

Asynchronous library to control Logitech Media Server

pkgs.python313Packages.pysqueezebox

Asynchronous library to control Logitech Media Server

pkgs.postgresql13Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.postgresql14Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.postgresql15Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.postgresql16Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.postgresql18Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.home-assistant-component-tests.squeezebox

Open source home automation that puts local control and privacy first

Package maintainers: 5

CVE-2025-31375
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 2 months, 4 weeks ago
WordPress Scheduled plugin <= 1.0 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in bhoogterp Scheduled allows Stored XSS. This issue affects Scheduled: from n/a through 1.0.

Affected products

scheduled
  • =<1.0

Matching in nixpkgs

pkgs.azure-cli-extensions.scheduled-query

Microsoft Azure Command-Line Tools Scheduled_query Extension

Package maintainers: 2

CVE-2025-3416
3.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 2 months, 4 weeks ago
Openssl: rust-openssl use-after-free in `md::fetch` and `cipher::fetch`

A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.

Affected products

gjs
polkit
firefox
mozjs60
openssl
rpm-ostree
389-ds-base
rust-bootupd
rust-openssl
  • <0.10.72
mingw-openssl
kata-containers
keylime-agent-rust
rhtas/tuffer-rhel9
rhtas/tuftool-rhel9
389-ds:1.4/389-ds-base
firefox:flatpak/firefox
python3.12-cryptography
redhat-ds:11/389-ds-base
redhat-ds:12/389-ds-base
rhtpa/rhtpa-trustification-service-rhel9

Matching in nixpkgs

pkgs.gjs

JavaScript bindings for GNOME

pkgs.polkit

Toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes

pkgs.openssl

Cryptographic library that implements the SSL and TLS protocols

pkgs.xulrunner

Web browser built from Firefox source tree

pkgs.cmd-polkit

Easily create polkit authentication agents by using commands

pkgs.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.rpm-ostree

Hybrid image/package system. It uses OSTree as an image format, and uses RPM as a component model

pkgs.openssl_1_1

Cryptographic library that implements the SSL and TLS protocols

pkgs.openssl_3_0

Cryptographic library that implements the SSL and TLS protocols

pkgs.openssl_3_5

Cryptographic library that implements the SSL and TLS protocols

pkgs._389-ds-base

Enterprise-class Open Source LDAP server for Linux

pkgs.polkit_gnome

Dbus session bus service that is used to bring up authentication dialogs

pkgs.tpm2-openssl

OpenSSL Provider for TPM2 integration

pkgs.faust2firefox

The faust2firefox script, part of faust functional programming language for realtime audio signal processing

pkgs.openssl_legacy

Cryptographic library that implements the SSL and TLS protocols

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

pkgs.hyprpolkitagent

Polkit authentication agent written in QT/QML

pkgs.mate.mate-polkit

Integrates polkit authentication for MATE desktop

pkgs.firefox-unwrapped

Web browser built from Firefox source tree

pkgs.pcscliteWithPolkit

Middleware to access a smart card using SCard API (PC/SC)

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account

pkgs.libsForQt5.polkit-qt

Qt wrapper around PolKit

pkgs.rubyPackages.openssl

pkgs.firefox-esr-unwrapped

Web browser built from Firefox source tree

pkgs.firefox-beta-unwrapped

Web browser built from Firefox Beta Release source tree

pkgs.gnomeExtensions.gjs-osk

A new Onscreen Keyboard built using GNOME JS

pkgs.kdePackages.polkit-qt-1

Qt wrapper around Polkit-1 client libraries

pkgs.php81Extensions.openssl

PHP upstream extension: openssl

pkgs.php82Extensions.openssl

PHP upstream extension: openssl

pkgs.php83Extensions.openssl

PHP upstream extension: openssl

pkgs.php84Extensions.openssl

PHP upstream extension: openssl

pkgs.haskellPackages.hopenssl

FFI Bindings to OpenSSL's EVP Digest Interface

pkgs.rubyPackages_3_1.openssl

pkgs.rubyPackages_3_2.openssl

pkgs.rubyPackages_3_3.openssl

pkgs.rubyPackages_3_4.openssl

pkgs.bruteforce-salted-openssl

Try to find the password of file encrypted with OpenSSL

pkgs.plasma5Packages.polkit-qt

Qt wrapper around PolKit

pkgs.python312Packages.pypugjs

PugJS syntax template adapter for Django, Jinja2, Mako and Tornado templates

pkgs.python313Packages.pypugjs

PugJS syntax template adapter for Django, Jinja2, Mako and Tornado templates

pkgs.lomiri.lomiri-polkit-agent

Policy kit agent for the Lomiri desktop

pkgs.python312Packages.pyopenssl

Python wrapper around the OpenSSL library

pkgs.python313Packages.pyopenssl

Python wrapper around the OpenSSL library

pkgs.firefox-devedition-unwrapped

Web browser built from Firefox Developer Edition source tree

pkgs.python312Packages.aioopenssl

TLS-capable transport using OpenSSL for asyncio

pkgs.python313Packages.aioopenssl

TLS-capable transport using OpenSSL for asyncio

pkgs.luaPackages.lua-resty-openssl

No summary

pkgs.kdePackages.polkit-kde-agent-1

Daemon providing a Polkit authentication UI for Plasma

pkgs.pantheon.pantheon-agent-polkit

Polkit Agent for the Pantheon Desktop

pkgs.php81Extensions.openssl-legacy

PHP upstream extension: openssl-legacy

pkgs.php82Extensions.openssl-legacy

PHP upstream extension: openssl-legacy

pkgs.php83Extensions.openssl-legacy

PHP upstream extension: openssl-legacy

pkgs.php84Extensions.openssl-legacy

PHP upstream extension: openssl-legacy

pkgs.python312Packages.cryptography

Package which provides cryptographic recipes and primitives

pkgs.haskellPackages.openssl-streams

OpenSSL network support for io-streams

pkgs.lua51Packages.lua-resty-openssl

No summary

pkgs.lua52Packages.lua-resty-openssl

No summary

pkgs.lua53Packages.lua-resty-openssl

No summary

pkgs.lua54Packages.lua-resty-openssl

No summary

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

pkgs.luajitPackages.lua-resty-openssl

No summary

pkgs.haskellPackages.openssl-createkey

Create OpenSSL keypairs

pkgs.python312Packages.types-pyopenssl

Typing stubs for pyopenssl

pkgs.python313Packages.types-pyopenssl

Typing stubs for pyopenssl

pkgs.haskellPackages.cryptonite-openssl

Crypto stuff using OpenSSL cryptographic library

pkgs.haskellPackages.http-client-openssl

http-client backend using the OpenSSL library

pkgs.chickenPackages_5.chickenEggs.openssl

Bindings to the OpenSSL SSL/TLS library

pkgs.tests.pkg-config.defaultPkgConfigPackages.libssl

Test whether openssl-3.5.1 exposes pkg-config modules libssl

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.pkg-config.defaultPkgConfigPackages.openssl

Test whether openssl-3.5.1 exposes pkg-config modules openssl

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.pkg-config.defaultPkgConfigPackages.libcrypto

Test whether openssl-3.5.1 exposes pkg-config modules libcrypto

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.testers.hasPkgConfigModules.openssl-has-openssl

Test whether openssl-3.5.1 exposes pkg-config modules openssl

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.vscode-extensions.firefox-devtools.vscode-firefox-debug

Visual Studio Code extension for debugging web applications and browser extensions in Firefox

pkgs.tests.testers.hasPkgConfigModules.openssl-has-all-meta-pkgConfigModules

Test whether openssl-3.5.1 exposes pkg-config modules libcrypto, libssl, openssl

  • nixos-unstable ???
    • nixpkgs-unstable

Package maintainers: 48

CVE-2025-3359
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months, 4 weeks ago
Gnuplot: segmentation fault via io_str_init_static_internal function

A flaw was found in GNUPlot. A segmentation fault via IO_str_init_static_internal may jeopardize the environment.

Affected products

gnuplot
  • <6.1

Matching in nixpkgs

pkgs.gnuplot

Portable command-line driven graphing utility for many platforms

pkgs.gnuplot_qt

Portable command-line driven graphing utility for many platforms

pkgs.feedgnuplot

General purpose pipe-oriented plotting tool

pkgs.gnuplot_aquaterm

Portable command-line driven graphing utility for many platforms

pkgs.haskellPackages.gnuplot

2D and 3D plots using gnuplot

pkgs.chickenPackages_5.chickenEggs.gnuplot-pipe

A simple interface to Gnuplot

pkgs.vimPlugins.nvim-treesitter-parsers.gnuplot

  • nixos-unstable ???
    • nixpkgs-unstable

Package maintainers: 3

CVE-2025-30195
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months, 4 weeks ago
A crafted zone can lead to an illegal memory access in the PowerDNS Recursor

An attacker can publish a zone containing specific Resource Record Sets. Processing and caching results for these sets can lead to an illegal memory accesses and crash of the Recursor, causing a denial of service. The remedy is: upgrade to the patched 5.2.1 version. We would like to thank Volodymyr Ilyin for bringing this issue to our attention.

Affected products

pdns-recursor
  • ==5.2.0

Matching in nixpkgs

pkgs.pdns-recursor

Recursive DNS server

Package maintainers: 1

CVE-2025-3360
3.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 2 months, 4 weeks ago
Glibc: glib prior to 2.82.5 is vulnerable to integer overflow and buffer under-read when parsing a very long invalid iso 8601 timestamp with g_date_time_new_from_iso8601().

A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.

Affected products

glib
  • <2.82.5
bootc
glib2
loupe
librsvg2
mingw-glib2
glycin-loaders

Matching in nixpkgs

pkgs.bootc

Boot and upgrade via container images

pkgs.podman-bootc

Streamlining podman+bootc interactions

pkgs.mlxbf-bootctl

Control BlueField boot partitions

pkgs.systemd-bootchart

Boot performance graphing tool from systemd

Package maintainers: 5

CVE-2025-31384
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 2 months, 4 weeks ago
WordPress Videos plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos allows Reflected XSS.This issue affects Videos: from n/a through 1.0.5.

Affected products

videos
  • =<1.0.5

Matching in nixpkgs

pkgs.pantheon.elementary-videos

Video player and library app designed for elementary OS

Package maintainers: 2