Nixpkgs Security Tracker

Login with GitHub

Published suggestions

Permalink CVE-2026-25765
updated 1 day ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 5 hours ago
  • @LeSuisse removed
    23 packages
    • faraday
    • faraday-cli
    • faraday-agent-dispatcher
    • ocamlPackages.faraday
    • ocamlPackages.faraday-lwt
    • ocamlPackages.faraday-async
    • ocamlPackages_latest.faraday
    • rubyPackages.faraday-net_http
    • ocamlPackages.faraday-lwt-unix
    • ocamlPackages_latest.faraday-lwt
    • python312Packages.faraday-plugins
    • python313Packages.faraday-plugins
    • python314Packages.faraday-plugins
    • rubyPackages_3_1.faraday-net_http
    • rubyPackages_3_2.faraday-net_http
    • ocamlPackages_latest.faraday-async
    • ocamlPackages_latest.faraday-lwt-unix
    • python312Packages.faraday-agent-parameters-types
    • python313Packages.faraday-agent-parameters-types
    • rubyPackages_4_0.faraday-net_http
    • rubyPackages_3_4.faraday-net_http
    • rubyPackages_3_3.faraday-net_http
    • python314Packages.faraday-agent-parameters-types
    1 day, 22 hours ago
  • @LeSuisse accepted 1 day, 22 hours ago
  • @LeSuisse published on GitHub 1 day ago
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.

Affected products

faraday
  • ==< 2.14.1

Matching in nixpkgs

Ignored packages (23)

Package maintainers

Upstream advisory: https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
Upstream patch: https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc
Permalink CVE-2026-25846
updated 1 day, 23 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 5 hours ago
  • @LeSuisse accepted 1 day, 23 hours ago
  • @LeSuisse published on GitHub 1 day, 23 hours ago
In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed …

In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs

Affected products

YouTrack
  • <2025.3.119033

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-14831
updated 1 day, 23 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 5 hours ago
  • @LeSuisse removed
    4 packages
    • python312Packages.python3-gnutls
    • python313Packages.python3-gnutls
    • python314Packages.python3-gnutls
    • guile-gnutls
    2 days ago
  • @LeSuisse removed
    3 maintainers
    • @vcunat
    • @foo-dogsquared
    • @charlieshanley
    1 day, 23 hours ago
  • @LeSuisse accepted 1 day, 23 hours ago
  • @LeSuisse published on GitHub 1 day, 23 hours ago
Gnutls: gnutls: denial of service via excessive resource consumption during certificate verification

A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Affected products

rhcos
gnutls

Matching in nixpkgs

Ignored packages (4)

Package maintainers

Ignored maintainers (3) 
Upstream patch: https://gitlab.com/gnutls/gnutls/-/commit/d6054f0016db05fb5c82177ddbd0a4e8331059a1

Fixed in 3.8.12
https://gitlab.com/gnutls/gnutls/-/blob/3.8.12/NEWS?ref_type=tags
Permalink CVE-2025-59024
updated 1 day, 23 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 5 hours ago
  • @LeSuisse removed package rotp 2 days ago
  • @LeSuisse removed
    2 maintainers
    • @rnhmjoj
    • @jtrees
    1 day, 23 hours ago
  • @LeSuisse accepted 1 day, 23 hours ago
  • @LeSuisse published on GitHub 1 day, 23 hours ago
Crafted delegations or IP fragments can poison cached delegations in Recursor

Crafted delegations or IP fragments can poison cached delegations in Recursor.

Affected products

pdns-recursor
  • <5.2.6
  • <5.1.8
  • <5.3.1

Matching in nixpkgs

Ignored packages (1)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

Package maintainers

Ignored maintainers (2) 
Fixed in:
* https://github.com/NixOS/nixpkgs/commit/42bb4a06d4a01d3dbfca9a19a9daef7cb7560374 (25.11)
* https://github.com/NixOS/nixpkgs/commit/f4cf3fc15536fdc273350b98ad8f4289f32512d2 (unstable)
Permalink CVE-2026-2245
updated 1 day, 23 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 5 hours ago
  • @LeSuisse accepted 1 day, 23 hours ago
  • @LeSuisse published on GitHub 1 day, 23 hours ago
CCExtractor MPEG-TS File ts_tables.c parse_PMT out-of-bounds

A vulnerability was identified in CCExtractor up to 183. This affects the function parse_PAT/parse_PMT in the library src/lib_ccx/ts_tables.c of the component MPEG-TS File Parser. Such manipulation leads to out-of-bounds read. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The name of the patch is fd7271bae238ccb3ae8a71304ea64f0886324925. It is best practice to apply a patch to resolve this issue.

Affected products

CCExtractor
  • ==183

Matching in nixpkgs

Package maintainers

Upstream patch: https://github.com/CCExtractor/ccextractor/commit/fd7271bae238ccb3ae8a71304ea64f0886324925
Upstream issue: https://github.com/CCExtractor/ccextractor/issues/2053
Permalink CVE-2026-24098
updated 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 5 hours ago
  • @LeSuisse accepted 2 days ago
  • @LeSuisse published on GitHub 2 days ago
Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors

Apache Airflow versions before 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue

Affected products

apache-airflow
  • <3.1.7

Matching in nixpkgs

Package maintainers

Upstream announcement: https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x
Permalink CVE-2026-0398
updated 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 5 hours ago
  • @LeSuisse removed package rotp 2 days ago
  • @LeSuisse accepted 2 days ago
  • @LeSuisse published on GitHub 2 days ago
Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor

Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.

Affected products

pdns-recursor
  • <5.1.10
  • <5.3.5
  • <5.2.8

Matching in nixpkgs

Ignored packages (1)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

Package maintainers

Upstream advisory: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html
Permalink CVE-2026-2242
updated 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 5 hours ago
  • @LeSuisse removed
    6 packages
    • vscode-extensions.janet-lang.vscode-janet
    • tree-sitter-grammars.tree-sitter-janet-simple
    • vimPlugins.nvim-treesitter-parsers.janet_simple
    • python312Packages.tree-sitter-grammars.tree-sitter-janet-simple
    • python313Packages.tree-sitter-grammars.tree-sitter-janet-simple
    • python314Packages.tree-sitter-grammars.tree-sitter-janet-simple
    2 days ago
  • @LeSuisse accepted 2 days ago
  • @LeSuisse published on GitHub 2 days ago
janet-lang janet specials.c janetc_if out-of-bounds

A vulnerability was determined in janet-lang janet up to 1.40.1. This impacts the function janetc_if of the file src/core/specials.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called c43e06672cd9dacf2122c99f362120a17c34b391. It is advisable to implement a patch to correct this issue.

Affected products

janet
  • ==1.40.1
  • ==1.40.0

Matching in nixpkgs

Ignored packages (6)

Package maintainers

Upstream patch: https://github.com/janet-lang/janet/commit/c43e06672cd9dacf2122c99f362120a17c34b391
Permalink CVE-2026-22922
updated 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 5 hours ago
  • @LeSuisse accepted 2 days ago
  • @LeSuisse published on GitHub 2 days ago
Apache Airflow: Airflow externalLogUrl Permission Bypass

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue.

Affected products

apache-airflow
  • <3.1.7

Matching in nixpkgs

Package maintainers

Upstream announcement: https://lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40
Permalink CVE-2026-25847
updated 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 5 hours ago
  • @LeSuisse accepted 2 days ago
  • @LeSuisse published on GitHub 2 days ago
In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter …

In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter viewer page was possible

Affected products

PyCharm
  • <2025.3.2

Matching in nixpkgs

Package maintainers