Nixpkgs security tracker
6.3 MEDIUM
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): Present (P)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): Low (L)
- Vulnerable System Impact Integrity (VI): None (N)
- Vulnerable System Impact Availability (VA): Low (L)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): Present (P)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
- Modified Vulnerable System Impact Integrity (MVI): None (N)
- Modified Vulnerable System Impact Availability (MVA): Low (L)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
- Exploit Maturity (E): Not Defined (X)
Activity log
- Created suggestion
Ghidra < 12.2 - Unauthenticated Path Traversal in Debugger ISF Server
Ghidra before 12.2 contains an unauthenticated path traversal vulnerability in the IsfServer that accepts TCP connections and passes client-supplied namespace strings directly to filesystem operations without validation. Remote attackers can connect to port 54321 and send crafted protobuf messages with traversal sequences to enumerate filesystem paths and probe arbitrary files.
References
-
-
https://www.vulncheck.com/advisories/ghidra-unauthenticated-path-traversal-in-d… third-party-advisory
Affected products
- ==12.2
- <12.2
Matching in nixpkgs
pkgs.ghidra
Software reverse engineering (SRE) suite of tools
pkgs.ghidra-bin
Software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission
pkgs.rizinPlugins.rz-ghidra
Deep ghidra decompiler and sleigh disassembler integration for rizin
pkgs.cutterPlugins.rz-ghidra
Deep ghidra decompiler and sleigh disassembler integration for rizin
pkgs.ghidra-extensions.ret-sync
Reverse-Engineering Tools SYNChronization. Allows syncing between a debugging session and Ghidra
-
nixos-unstable 0-unstable-2024-05-29
- nixpkgs-unstable 0-unstable-2024-05-29
- nixos-unstable-small 0-unstable-2024-05-29
-
nixos-26.05 0-unstable-2024-05-29
- nixos-26.05-small 0-unstable-2024-05-29
- nixpkgs-26.05-darwin 0-unstable-2024-05-29
pkgs.python313Packages.pyghidra
Native CPython for Ghidra
pkgs.python314Packages.pyghidra
Native CPython for Ghidra
pkgs.python313Packages.ghidra-bridge
Python bridge to Ghidra's Python scripting
pkgs.python314Packages.ghidra-bridge
Python bridge to Ghidra's Python scripting
pkgs.ghidra-extensions.ghidra-firmware-utils
Ghidra utilities for analyzing PC firmware
-
nixos-unstable 2026.01.14
- nixpkgs-unstable 2026.01.14
- nixos-unstable-small 2026.01.14
-
nixos-26.05 2026.01.14
- nixos-26.05-small 2026.01.14
- nixpkgs-26.05-darwin 2026.01.14
pkgs.ghidra-extensions.ghidra-delinker-extension
Ghidra extension for delinking executables back to object files
pkgs.ghidra-extensions.ghidraninja-ghidra-scripts
Scripts for the Ghidra software reverse engineering suite
-
nixos-unstable 2020-10-07
- nixpkgs-unstable 2020-10-07
- nixos-unstable-small 2020-10-07
-
nixos-26.05 2020-10-07
- nixos-26.05-small 2020-10-07
- nixpkgs-26.05-darwin 2020-10-07
Package maintainers
-
@chayleaf Anna Pavlyuk <chayleaf-nix@pavluk.org>
-
@roblabla Robin Lambertz <robinlambertz+dev@gmail.com>
-
@vringar Stefan Zabka <git@zabka.it>
-
@ck3d Christian Kögler <ck3d@gmx.de>
-
@GovanifY Gauvain 'GovanifY' Roussel-Tarbouriech <gauvain@govanify.com>
-
@Mic92 Jörg Thalheim <joerg@thalheim.io>
-
@hexadecimalDinosaur Ivy Fan-Chiang <dev@ivyfanchiang.ca>
-
@jchv John Chadwick <johnwchadwick@gmail.com>
-
@timschumi Tim Schumacher <timschumi@gmx.de>
-
@spencerpogo Spencer Pogorzelski
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>