Nixpkgs security tracker

Published

Permalink CVE-2026-42448

3.5 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 2 weeks, 4 days ago by @LeSuisse Activity log

Created suggestion 2 weeks, 4 days ago
@LeSuisse ignored
8 packages
- wormhole-rs
- magic-wormhole-rs
- python314Packages.magic-wormhole-mailbox-server
- python313Packages.magic-wormhole-mailbox-server
- python312Packages.magic-wormhole-mailbox-server
- python314Packages.magic-wormhole-transit-relay
- python313Packages.magic-wormhole-transit-relay
- python312Packages.magic-wormhole-transit-relay
2 weeks, 4 days ago
@LeSuisse ignored maintainer @mjoerg 2 weeks, 4 days ago maintainer.ignore
@LeSuisse accepted 2 weeks, 4 days ago
@LeSuisse published on GitHub 2 weeks, 4 days ago

wormhole receive, with --output pointing at an existing directory can be path-traversed

Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output <dir>" where that output directory currently exists (as a directory). This vulnerability is fixed in 0.24.0.

References

https://github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-cf92-gfcw-6v53 x_refsource_CONFIRM

Affected products

magic-wormhole

==< 0.24.0

Matching in nixpkgs

pkgs.magic-wormhole

Securely transfer data between computers

nixos-unstable 0.24.0
- nixpkgs-unstable 0.24.0
- nixos-unstable-small 0.24.0

pkgs.python312Packages.magic-wormhole

None

pkgs.python313Packages.magic-wormhole

Securely transfer data between computers

nixos-unstable 0.24.0
- nixpkgs-unstable 0.24.0
- nixos-unstable-small 0.24.0

pkgs.python314Packages.magic-wormhole

Securely transfer data between computers

nixos-unstable 0.24.0
- nixpkgs-unstable 0.24.0
- nixos-unstable-small 0.24.0

Ignored packages (8)

pkgs.wormhole-rs

Rust implementation of Magic Wormhole, with new features and enhancements

nixos-unstable 0.8.1
- nixpkgs-unstable 0.8.1
- nixos-unstable-small 0.8.1

pkgs.magic-wormhole-rs

Rust implementation of Magic Wormhole, with new features and enhancements

nixos-unstable 0.8.1
- nixpkgs-unstable 0.8.1
- nixos-unstable-small 0.8.1

pkgs.python312Packages.magic-wormhole-transit-relay

None

pkgs.python313Packages.magic-wormhole-transit-relay

Transit Relay server for Magic-Wormhole

nixos-unstable 0.5.0
- nixpkgs-unstable 0.5.0
- nixos-unstable-small 0.5.0

pkgs.python314Packages.magic-wormhole-transit-relay

Transit Relay server for Magic-Wormhole

nixos-unstable 0.5.0
- nixpkgs-unstable 0.5.0
- nixos-unstable-small 0.5.0

pkgs.python312Packages.magic-wormhole-mailbox-server

None

pkgs.python313Packages.magic-wormhole-mailbox-server

Securely transfer data between computers

nixos-unstable 0.7.0
- nixpkgs-unstable 0.7.0
- nixos-unstable-small 0.7.0

pkgs.python314Packages.magic-wormhole-mailbox-server

Securely transfer data between computers

nixos-unstable 0.7.0
- nixpkgs-unstable 0.7.0
- nixos-unstable-small 0.7.0

Package maintainers

Ignored maintainers (1)

@mjoerg Martin Joerg <martin.joerg@gmail.com>

Published

Permalink CVE-2026-32116

updated 3 months ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse ignored
11 packages
- wormhole-rs
- magic-wormhole-rs
- python312Packages.magic-wormhole
- python313Packages.magic-wormhole
- python314Packages.magic-wormhole
- python312Packages.magic-wormhole-transit-relay
- python313Packages.magic-wormhole-transit-relay
- python314Packages.magic-wormhole-transit-relay
- python312Packages.magic-wormhole-mailbox-server
- python313Packages.magic-wormhole-mailbox-server
- python314Packages.magic-wormhole-mailbox-server
3 months ago
@LeSuisse accepted 3 months ago
@LeSuisse published on GitHub 3 months ago

Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite

Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver's computer. Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol. This vulnerability is fixed in 0.23.0.

References

https://github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-4g4c-mfqg-pj8r x_refsource_CONFIRM

Affected products

magic-wormhole

==>= 0.21.0, < 0.23.0

Matching in nixpkgs

pkgs.magic-wormhole

Securely transfer data between computers

nixos-unstable 0.22.0
- nixpkgs-unstable 0.22.0
- nixos-unstable-small 0.22.0

Ignored packages (11)

pkgs.wormhole-rs

Rust implementation of Magic Wormhole, with new features and enhancements

nixos-unstable 0.7.6
- nixpkgs-unstable 0.7.6
- nixos-unstable-small 0.7.6

pkgs.magic-wormhole-rs

Rust implementation of Magic Wormhole, with new features and enhancements

nixos-unstable 0.7.6
- nixpkgs-unstable 0.7.6
- nixos-unstable-small 0.7.6

pkgs.python312Packages.magic-wormhole

None

pkgs.python313Packages.magic-wormhole

Securely transfer data between computers

nixos-unstable 0.22.0
- nixpkgs-unstable 0.22.0
- nixos-unstable-small 0.22.0

pkgs.python314Packages.magic-wormhole

Securely transfer data between computers

nixos-unstable 0.22.0
- nixpkgs-unstable 0.22.0
- nixos-unstable-small 0.22.0

pkgs.python312Packages.magic-wormhole-transit-relay

None

pkgs.python313Packages.magic-wormhole-transit-relay

Transit Relay server for Magic-Wormhole

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0

pkgs.python314Packages.magic-wormhole-transit-relay

Transit Relay server for Magic-Wormhole

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0

pkgs.python312Packages.magic-wormhole-mailbox-server

None

pkgs.python313Packages.magic-wormhole-mailbox-server

Securely transfer data between computers

nixos-unstable 0.5.1
- nixpkgs-unstable 0.5.1
- nixos-unstable-small 0.5.1

pkgs.python314Packages.magic-wormhole-mailbox-server

Securely transfer data between computers

nixos-unstable 0.5.1
- nixpkgs-unstable 0.5.1
- nixos-unstable-small 0.5.1

Package maintainers

@mjoerg Martin Joerg <martin.joerg@gmail.com>

Upstream advisory: https://github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-4g4c-mfqg-pj8r

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.magic-wormhole

pkgs.python312Packages.magic-wormhole

pkgs.python313Packages.magic-wormhole

pkgs.python314Packages.magic-wormhole

pkgs.wormhole-rs

pkgs.magic-wormhole-rs

pkgs.python312Packages.magic-wormhole-transit-relay

pkgs.python313Packages.magic-wormhole-transit-relay

pkgs.python314Packages.magic-wormhole-transit-relay

pkgs.python312Packages.magic-wormhole-mailbox-server

pkgs.python313Packages.magic-wormhole-mailbox-server

pkgs.python314Packages.magic-wormhole-mailbox-server

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.magic-wormhole

pkgs.wormhole-rs

pkgs.magic-wormhole-rs

pkgs.python312Packages.magic-wormhole

pkgs.python313Packages.magic-wormhole

pkgs.python314Packages.magic-wormhole

pkgs.python312Packages.magic-wormhole-transit-relay

pkgs.python313Packages.magic-wormhole-transit-relay

pkgs.python314Packages.magic-wormhole-transit-relay

pkgs.python312Packages.magic-wormhole-mailbox-server

pkgs.python313Packages.magic-wormhole-mailbox-server

pkgs.python314Packages.magic-wormhole-mailbox-server

Package maintainers