Nixpkgs security tracker

Untriaged

Permalink CVE-2026-42272

7.8 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): High (H)
Subsequent System Impact Integrity (SI): High (H)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): High (H)
Modified Subsequent System Impact Integrity (MSI): High (H)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 2 weeks, 2 days ago Activity log

Created suggestion 2 weeks, 2 days ago

Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.

References

https://github.com/dadrus/heimdall/security/advisories/GHSA-43jv-5j4x-qv67 x_refsource_CONFIRM
https://github.com/dadrus/heimdall/pull/3207 x_refsource_MISC
https://github.com/dadrus/heimdall/commit/8b0de6aba23a047cfee3081df878271bb17f4351 x_refsource_MISC
https://github.com/dadrus/heimdall/releases/tag/v0.17.14 x_refsource_MISC

Affected products

heimdall

==< 0.17.14

Matching in nixpkgs

pkgs.heimdall

Cross-platform open-source tool suite used to flash firmware onto Samsung Galaxy devices

nixos-unstable 2.2.2
- nixpkgs-unstable 2.2.2
- nixos-unstable-small 2.2.2
nixos-25.11 2.2.2
- nixos-25.11-small 2.2.2
- nixpkgs-25.11-darwin 2.2.2

pkgs.heimdall-gui

Cross-platform open-source tool suite used to flash firmware onto Samsung Galaxy devices

nixos-unstable 2.2.2
- nixpkgs-unstable 2.2.2
- nixos-unstable-small 2.2.2
nixos-25.11 2.2.2
- nixos-25.11-small 2.2.2
- nixpkgs-25.11-darwin 2.2.2

pkgs.heimdall-proxy

Cloud native Identity Aware Proxy and Access Control Decision service

nixos-unstable 0.17.13
- nixpkgs-unstable 0.17.13
- nixos-unstable-small 0.17.13
nixos-25.11 0.17.2
- nixos-25.11-small 0.17.2
- nixpkgs-25.11-darwin 0.17.2

Package maintainers

@timschumi Tim Schumacher <timschumi@gmx.de>
@surfaceflinger nat <nat@nekopon.pl>
@albertilagan Albert Ilagan <me@albertilagan.dev>