NIXPKGS-2026-0819

GitHub issue published 2 months, 4 weeks ago

Permalink CVE-2026-33747

8.4 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 4 weeks ago
@LeSuisse ignored
7 packages
- buildkit-nix
- buildkite-cli
- buildkite-agent
- buildkite-agent-metrics
- buildkite-test-collector-rust
- terraform-providers.buildkite
- terraform-providers.buildkite_buildkite
2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

BuildKit vulnerable to malicious frontend causing file escape outside of storage root

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.

References

https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj x_refsource_CONFIRM
https://github.com/moby/buildkit/releases/tag/v0.28.1 x_refsource_MISC

Affected products

buildkit

==< 0.28.1

Matching in nixpkgs

pkgs.buildkit

Concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit

nixos-unstable 0.28.0
- nixpkgs-unstable 0.28.0
- nixos-unstable-small 0.28.0

Ignored packages (7)

pkgs.buildkit-nix

Nix frontend for BuildKit

nixos-unstable 0.1.1
- nixpkgs-unstable 0.1.1
- nixos-unstable-small 0.1.1

pkgs.buildkite-cli

Command line interface for Buildkite

nixos-unstable 3.32.2
- nixpkgs-unstable 3.32.2
- nixos-unstable-small 3.32.2

pkgs.buildkite-agent

Build runner for buildkite.com

nixos-unstable 3.89.0
- nixpkgs-unstable 3.89.0
- nixos-unstable-small 3.89.0

pkgs.buildkite-agent-metrics

Command-line tool (and Lambda) for collecting Buildkite agent metrics

nixos-unstable 5.10.0
- nixpkgs-unstable 5.10.0
- nixos-unstable-small 5.10.0

pkgs.buildkite-test-collector-rust

Rust adapter for Buildkite Test Analytics

nixos-unstable 0.1.3
- nixpkgs-unstable 0.1.3
- nixos-unstable-small 0.1.3

pkgs.terraform-providers.buildkite

None

nixos-unstable 1.31.2
- nixpkgs-unstable 1.31.2
- nixos-unstable-small 1.31.2

pkgs.terraform-providers.buildkite_buildkite