Nixpkgs security tracker

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-33975

updated 2 weeks, 6 days ago by @LeSuisse Activity log

Created suggestion 2 weeks, 6 days ago
@LeSuisse dismissed (not in Nixpkgs) 2 weeks, 6 days ago

twenty-server SSRF protection bypass via IPv4-mapped IPv6 address normalization

Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex form (e.g., ::ffff:169.254.169.254 becomes ::ffff:a9fe:a9fe), but the isPrivateIp utility only recognizes the dotted-decimal notation. As a result, the hex form passes the SSRF check unchecked. Additionally, the socket lookup validation event does not fire for IP literal addresses, bypassing the second validation layer. An authenticated user can reach any internal IP, including cloud metadata endpoints, to exfiltrate credentials such as IAM keys.

References

https://github.com/twentyhq/twenty/security/advisories/GHSA-vrcj-hv2q-c58m x_refsource_CONFIRM

Affected products

twenty

==<= 1.18.0

Matching in nixpkgs

pkgs.gnome-2048

Obtain the 2048 tile

nixos-unstable 3.38.2
- nixpkgs-unstable 3.38.2
- nixos-unstable-small 3.38.2
nixos-25.11 3.38.2
- nixos-25.11-small 3.38.2
- nixpkgs-25.11-darwin 3.38.2

pkgs.wordpressPackages.themes.twentytwenty

None

nixos-unstable 3.0
- nixpkgs-unstable 3.0
- nixos-unstable-small 3.0
nixos-25.11 2.9
- nixos-25.11-small 2.9
- nixpkgs-25.11-darwin 2.9

pkgs.wordpressPackages.themes.twentynineteen

None

nixos-unstable 3.2
- nixpkgs-unstable 3.2
- nixos-unstable-small 3.2
nixos-25.11 3.1
- nixos-25.11-small 3.1
- nixpkgs-25.11-darwin 3.1

pkgs.wordpressPackages.themes.twentytwentyone

None

nixos-unstable 2.7
- nixpkgs-unstable 2.7
- nixos-unstable-small 2.7
nixos-25.11 2.5
- nixos-25.11-small 2.5
- nixpkgs-25.11-darwin 2.5

pkgs.wordpressPackages.themes.twentytwentytwo

None

nixos-unstable 2.1
- nixpkgs-unstable 2.1
- nixos-unstable-small 2.1
nixos-25.11 2.0
- nixos-25.11-small 2.0
- nixpkgs-25.11-darwin 2.0

pkgs.wordpressPackages.themes.twentytwentyfive

None

nixos-unstable 1.4
- nixpkgs-unstable 1.4
- nixos-unstable-small 1.4
nixos-25.11 1.2
- nixos-25.11-small 1.2
- nixpkgs-25.11-darwin 1.2

pkgs.wordpressPackages.themes.twentytwentyfour

None

nixos-unstable 1.4
- nixpkgs-unstable 1.4
- nixos-unstable-small 1.4
nixos-25.11 1.3
- nixos-25.11-small 1.3
- nixpkgs-25.11-darwin 1.3

pkgs.wordpressPackages.themes.twentytwentythree

None

nixos-unstable 1.6
- nixpkgs-unstable 1.6
- nixos-unstable-small 1.6
nixos-25.11 1.6
- nixos-25.11-small 1.6
- nixpkgs-25.11-darwin 1.6

Package maintainers

@jtojnar Jan Tojnar <jtojnar@gmail.com>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@bobby285271 Bobby Rong <rjl931189261@126.com>
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-35451

5.7 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 1 month ago by @LeSuisse Activity log

Created suggestion 1 month ago
@LeSuisse dismissed (not in Nixpkgs) 1 month ago

Twenty: Stored XSS via BlockNote FileBlock

Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.