Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-32771

created 1 day, 6 hours ago

Monitoring is vulnerable to Archive Slip due to missing checks in sanitization

The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248–254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2.

References

https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25 x_refsource_CONFIRM
https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a x_refsource_MISC
https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title x_refsource_MISC

Affected products

monitoring

==< 0.2.2

Matching in nixpkgs

pkgs.monitoring-plugins

Official monitoring plugins for Nagios/Icinga/Sensu and others

nixos-unstable 2.4.0
- nixpkgs-unstable 2.4.0
- nixos-unstable-small 2.4.0
nixos-25.11 2.4.0
- nixos-25.11-small 2.4.0
- nixpkgs-25.11-darwin 2.4.0

pkgs.perlPackages.MonitoringPlugin

A family of perl modules to streamline writing Naemon, Nagios, Icinga or Shinken (and compatible) plugins

nixos-unstable 0.40
- nixpkgs-unstable 0.40
- nixos-unstable-small 0.40
nixos-25.11 0.40
- nixos-25.11-small 0.40
- nixpkgs-25.11-darwin 0.40

pkgs.perl5Packages.MonitoringPlugin

A family of perl modules to streamline writing Naemon, Nagios, Icinga or Shinken (and compatible) plugins

nixos-unstable 0.40
- nixpkgs-unstable 0.40
- nixos-unstable-small 0.40

pkgs.haskellPackages.gogol-monitoring

Google Stackdriver Monitoring SDK

nixos-unstable 1.0.0
- nixpkgs-unstable 1.0.0
- nixos-unstable-small 1.0.0
nixos-25.11 1.0.0
- nixos-25.11-small 1.0.0
- nixpkgs-25.11-darwin 1.0.0

pkgs.perl538Packages.MonitoringPlugin

A family of perl modules to streamline writing Naemon, Nagios, Icinga or Shinken (and compatible) plugins

nixos-25.11 0.40
- nixos-25.11-small 0.40
- nixpkgs-25.11-darwin 0.40

pkgs.perl540Packages.MonitoringPlugin

A family of perl modules to streamline writing Naemon, Nagios, Icinga or Shinken (and compatible) plugins

nixos-25.11 0.40
- nixos-25.11-small 0.40
- nixpkgs-25.11-darwin 0.40

pkgs.python312Packages.google-cloud-monitoring

Stackdriver Monitoring API client library

nixos-25.11 2.27.2
- nixos-25.11-small 2.27.2
- nixpkgs-25.11-darwin 2.27.2

pkgs.python313Packages.google-cloud-monitoring

Stackdriver Monitoring API client library

nixos-unstable 2.29.1
- nixpkgs-unstable 2.29.1
- nixos-unstable-small 2.29.1
nixos-25.11 2.27.2
- nixos-25.11-small 2.27.2
- nixpkgs-25.11-darwin 2.27.2

pkgs.python314Packages.google-cloud-monitoring

Stackdriver Monitoring API client library

nixos-unstable 2.29.1
- nixpkgs-unstable 2.29.1
- nixos-unstable-small 2.29.1

pkgs.home-assistant-component-tests.victron_remote_monitoring

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.victron_remote_monitoring

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

Package maintainers

@relrod Ricky Elrod <ricky@elrod.me>
@thoughtpolice Austin Seipp <aseipp@pobox.com>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>