Nixpkgs security tracker
6.5 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): High (H)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse dismissed (not in Nixpkgs)
Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response body within the 1-minute timeout window, causing the tekton-pipelines-resolvers pod to be OOM-killed by Kubernetes. Because all resolver types (Git, Hub, Bundle, Cluster, HTTP) run in the same pod, crashing this pod denies resolution service to the entire cluster. Repeated exploitation causes a sustained crash loop. The same vulnerable code path is reached by both the deprecated pkg/resolution/resolver/http and the current pkg/remoteresolution/resolver/http implementations. This vulnerability is fixed in 1.11.1.
References
-
https://github.com/tektoncd/pipeline/security/advisories/GHSA-m2cx-gpqf-qf74 x_refsource_CONFIRM
-
https://github.com/tektoncd/pipeline/releases/tag/v1.11.1 x_refsource_MISC
Affected products
- ==< 1.11.1
Matching in nixpkgs
pkgs.pipeline
Watch YouTube and PeerTube videos in one place
pkgs.libpipeline
C library for manipulating pipelines of subprocesses in a flexible and convenient way
pkgs.haskellPackages.pipeline
Continuation patterns
pkgs.rubyPackages.html-pipeline
None
pkgs.woodpecker-pipeline-transform
Utility to convert different pipelines to Woodpecker CI pipelines
pkgs.rubyPackages_3_3.html-pipeline
None
pkgs.rubyPackages_3_4.html-pipeline
None
pkgs.rubyPackages_4_0.html-pipeline
None
pkgs.python312Packages.pyannote-pipeline
Tunable pipelines
pkgs.python313Packages.pyannote-pipeline
Tunable pipelines
pkgs.python314Packages.pyannote-pipeline
Tunable pipelines
pkgs.haskellPackages.amazonka-codepipeline
Amazon CodePipeline SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
-
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16
pkgs.haskellPackages.amazonka-datapipeline
Amazon Data Pipeline SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
-
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16
pkgs.prometheus-gitlab-ci-pipelines-exporter
Prometheus / OpenMetrics exporter for GitLab CI pipelines insights
pkgs.python312Packages.mypy-boto3-codepipeline
Type annotations for boto3 codepipeline
-
nixos-25.11 boto3-codepipeline-1.41.0
- nixos-25.11-small boto3-codepipeline-1.41.0
- nixpkgs-25.11-darwin boto3-codepipeline-1.41.0
pkgs.python312Packages.mypy-boto3-datapipeline
Type annotations for boto3 datapipeline
-
nixos-25.11 boto3-datapipeline-1.41.0
- nixos-25.11-small boto3-datapipeline-1.41.0
- nixpkgs-25.11-darwin boto3-datapipeline-1.41.0
pkgs.python312Packages.pysigma-pipeline-sysmon
Library to support Sysmon pipeline for pySigma
pkgs.python313Packages.mypy-boto3-codepipeline
Type annotations for boto3 codepipeline
-
nixos-unstable boto3-codepipeline-1.42.3
- nixpkgs-unstable boto3-codepipeline-1.42.3
- nixos-unstable-small boto3-codepipeline-1.42.3
-
nixos-25.11 boto3-codepipeline-1.41.0
- nixos-25.11-small boto3-codepipeline-1.41.0
- nixpkgs-25.11-darwin boto3-codepipeline-1.41.0
pkgs.python313Packages.mypy-boto3-datapipeline
Type annotations for boto3 datapipeline
-
nixos-unstable boto3-datapipeline-1.42.3
- nixpkgs-unstable boto3-datapipeline-1.42.3
- nixos-unstable-small boto3-datapipeline-1.42.3
-
nixos-25.11 boto3-datapipeline-1.41.0
- nixos-25.11-small boto3-datapipeline-1.41.0
- nixpkgs-25.11-darwin boto3-datapipeline-1.41.0
pkgs.python313Packages.pysigma-pipeline-sysmon
Library to support Sysmon pipeline for pySigma
pkgs.python314Packages.mypy-boto3-codepipeline
Type annotations for boto3 codepipeline
-
nixos-unstable boto3-codepipeline-1.42.3
- nixpkgs-unstable boto3-codepipeline-1.42.3
- nixos-unstable-small boto3-codepipeline-1.42.3
pkgs.python314Packages.mypy-boto3-datapipeline
Type annotations for boto3 datapipeline
-
nixos-unstable boto3-datapipeline-1.42.3
- nixpkgs-unstable boto3-datapipeline-1.42.3
- nixos-unstable-small boto3-datapipeline-1.42.3
pkgs.python314Packages.pysigma-pipeline-sysmon
Library to support Sysmon pipeline for pySigma
pkgs.pkgsRocm.python3Packages.pyannote-pipeline
Tunable pipelines
pkgs.python312Packages.pysigma-pipeline-windows
Library to support Windows service pipeline for pySigma
pkgs.python313Packages.pysigma-pipeline-windows
Library to support Windows service pipeline for pySigma
pkgs.python314Packages.pysigma-pipeline-windows
Library to support Windows service pipeline for pySigma
pkgs.azure-cli-extensions.monitor-pipeline-group
Microsoft Azure Command-Line Tools MonitorPipelineGroup Extension
pkgs.home-assistant-component-tests.assist_pipeline
Open source home automation that puts local control and privacy first
pkgs.python312Packages.pysigma-pipeline-crowdstrike
Library to support CrowdStrike pipeline for pySigma
pkgs.python313Packages.pysigma-pipeline-crowdstrike
Library to support CrowdStrike pipeline for pySigma
pkgs.python314Packages.pysigma-pipeline-crowdstrike
Library to support CrowdStrike pipeline for pySigma
pkgs.tests.home-assistant-components.assist_pipeline
Open source home automation that puts local control and privacy first
pkgs.python312Packages.types-aiobotocore-codepipeline
Type annotations for aiobotocore codepipeline
pkgs.python312Packages.types-aiobotocore-datapipeline
Type annotations for aiobotocore datapipeline
pkgs.python313Packages.types-aiobotocore-codepipeline
Type annotations for aiobotocore codepipeline
pkgs.python313Packages.types-aiobotocore-datapipeline
Type annotations for aiobotocore datapipeline
pkgs.haskellPackages.amazonka-chime-sdk-media-pipelines
Amazon Chime SDK Media Pipelines SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
-
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16
pkgs.python312Packages.mypy-boto3-chime-sdk-media-pipelines
Type annotations for boto3 chime-sdk-media-pipelines
-
nixos-25.11 boto3-chime-sdk-media-pipelines-1.41.0
- nixos-25.11-small boto3-chime-sdk-media-pipelines-1.41.0
- nixpkgs-25.11-darwin boto3-chime-sdk-media-pipelines-1.41.0
pkgs.python313Packages.mypy-boto3-chime-sdk-media-pipelines
Type annotations for boto3 chime-sdk-media-pipelines
-
nixos-unstable boto3-chime-sdk-media-pipelines-1.42.3
- nixpkgs-unstable boto3-chime-sdk-media-pipelines-1.42.3
- nixos-unstable-small boto3-chime-sdk-media-pipelines-1.42.3
-
nixos-25.11 boto3-chime-sdk-media-pipelines-1.41.0
- nixos-25.11-small boto3-chime-sdk-media-pipelines-1.41.0
- nixpkgs-25.11-darwin boto3-chime-sdk-media-pipelines-1.41.0
pkgs.python314Packages.mypy-boto3-chime-sdk-media-pipelines
Type annotations for boto3 chime-sdk-media-pipelines
-
nixos-unstable boto3-chime-sdk-media-pipelines-1.42.3
- nixpkgs-unstable boto3-chime-sdk-media-pipelines-1.42.3
- nixos-unstable-small boto3-chime-sdk-media-pipelines-1.42.3
pkgs.python312Packages.types-aiobotocore-chime-sdk-media-pipelines
Type annotations for aiobotocore chime-sdk-media-pipelines
Package maintainers
-
@ulrikstrid Ulrik Strid <ulrik.strid@outlook.com>
-
@katexochen Paul Meyer <katexochen0@gmail.com>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
-
@chuangzhu Chuang Zhu <nixos@chuang.cz>
-
@normalcea normalcea <normalc@posteo.net>
-
@mmahut Marek Mahut <marek.mahut@gmail.com>
-
@mvisonneau Maxime VISONNEAU <maxime@visonneau.fr>
-
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>
-
@luftmensch-luftmensch Valentino Bocchetti <valentinobocchetti59@gmail.com>
-
@ambroisie Bruno BELANYI <bruno.nixpkgs@belanyi.fr>