Nixpkgs security tracker

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-44503

7.0 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): Passive (P)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): High (H)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Passive (P)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): High (H)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 1 week, 3 days ago by @LeSuisse Activity log

Created suggestion 1 week, 4 days ago
@LeSuisse dismissed (not in Nixpkgs) 1 week, 3 days ago

Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie, Proxy-Authorization, and all custom headers are forwarded to the redirect target.

References

https://github.com/microsoft/kiota-java/security/advisories/GHSA-7j59-v9qr-6fq9 x_refsource_CONFIRMexploit

Affected products

kiota-java

==< 1.9.1

kiota-typescript

==< 1.0.0-preview.100

microsoft-kiota-http

==< 1.9.9

Microsoft.Kiota.Abstractions

==< 1.22.0

microsoft-kiota-abstractions

==< 1.9.1

github.com/microsoft/kiota-http-go

==< 1.5.5

Matching in nixpkgs

pkgs.python312Packages.microsoft-kiota-http

HTTP request adapter implementation for Kiota clients for Python

nixos-25.11 1.9.7
- nixos-25.11-small 1.9.7
- nixpkgs-25.11-darwin 1.9.7

pkgs.python313Packages.microsoft-kiota-http

HTTP request adapter implementation for Kiota clients for Python

nixos-unstable 1.9.8
- nixpkgs-unstable 1.9.8
- nixos-unstable-small 1.9.8
nixos-25.11 1.9.7
- nixos-25.11-small 1.9.7
- nixpkgs-25.11-darwin 1.9.7

pkgs.python314Packages.microsoft-kiota-http

HTTP request adapter implementation for Kiota clients for Python

nixos-unstable 1.9.8
- nixpkgs-unstable 1.9.8
- nixos-unstable-small 1.9.8

pkgs.python312Packages.microsoft-kiota-abstractions

Abstractions library for Kiota generated Python clients

nixos-25.11 1.9.7
- nixos-25.11-small 1.9.7
- nixpkgs-25.11-darwin 1.9.7

pkgs.python313Packages.microsoft-kiota-abstractions

Abstractions library for Kiota generated Python clients

nixos-unstable 1.10.1
- nixpkgs-unstable 1.10.1
- nixos-unstable-small 1.10.1
nixos-25.11 1.9.7
- nixos-25.11-small 1.9.7
- nixpkgs-25.11-darwin 1.9.7

pkgs.python314Packages.microsoft-kiota-abstractions

Abstractions library for Kiota generated Python clients

nixos-unstable 1.10.1
- nixpkgs-unstable 1.10.1
- nixos-unstable-small 1.10.1

Package maintainers

@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-41134

updated 1 month ago by @LeSuisse Activity log

Created suggestion 1 month ago
@LeSuisse dismissed (not in Nixpkgs) 1 month ago

Kiota: Code Generation Literal Injection

Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission). When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients. This issue is only practically exploitable when the OpenAPI description used for generation is from an untrusted source, or a normally trusted OpenAPI description has been compromised/tampered with. Only generating from trusted, integrity-protected API descriptions significantly reduces the risk. To remediate the issue, upgrade Kiota to 1.31.1 or later and regenerate/refresh existing generated clients as a precaution. Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.