Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Drafts

to create a Nixpkgs security record and open a GitHub issue for tracking resolution. This action will notify maintainers and package subscribers, and cannot be revoked.

to remove a suggestion from the queue.

CVE-2024-0406
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 10 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 11 months ago
  • @LeSuisse accepted as draft 10 months, 3 weeks ago
Mholt/archiver: path traversal vulnerability

A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.

Affected products

archiver
  • *
  • *
openshift4/oc-mirror-plugin-rhel8
openshift4/oc-mirror-plugin-rhel9
  • *
advanced-cluster-security/rhacs-main-rhel8
advanced-cluster-security/rhacs-roxctl-rhel8
advanced-cluster-security/rhacs-scanner-rhel8

Matching in nixpkgs

pkgs.archiver

Easily create & extract archives, and compress & decompress files of various formats

pkgs.xarchiver

GTK frontend to 7z,zip,rar,tar,bzip2, gzip,arj, lha, rpm and deb (open and extract only)

pkgs.fsarchiver

File system archiver for linux

pkgs.lxqt.lxqt-archiver

Archive tool for the LXQt desktop environment

pkgs.CuboCore.corearchiver

Archiver from the C Suite to create and extract archives

pkgs.wayback-machine-archiver

Python script to submit web pages to the Wayback Machine for archiving

pkgs.python311Packages.nskeyedunarchiver

Unserializes plist data into a usable Python dict

pkgs.python312Packages.nskeyedunarchiver

Unserializes plist data into a usable Python dict

pkgs.python312Packages.nskeyedunarchiver.x86_64-linux

Unserializes plist data into a usable Python dict

pkgs.python312Packages.nskeyedunarchiver.aarch64-linux

Unserializes plist data into a usable Python dict

pkgs.python312Packages.nskeyedunarchiver.x86_64-darwin

Unserializes plist data into a usable Python dict

pkgs.python312Packages.nskeyedunarchiver.aarch64-darwin

Unserializes plist data into a usable Python dict

Package maintainers: 7

CVE-2024-12084
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 10 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 11 months ago
  • @LeSuisse accepted as draft 10 months, 3 weeks ago
Rsync: heap buffer overflow in rsync due to improper checksum length handling

A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

Affected products

rhcos
rsync
  • ==3.2.7
  • *
  • ==3.3.0

Matching in nixpkgs

pkgs.rsync

Fast incremental file transfer utility

pkgs.rsync.x86_64-linux

Fast incremental file transfer utility

pkgs.rsync.aarch64-linux

Fast incremental file transfer utility

pkgs.rsync.x86_64-darwin

Fast incremental file transfer utility

pkgs.rsync.aarch64-darwin

Fast incremental file transfer utility

Package maintainers: 3

CVE-2025-23884
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 10 months, 3 weeks ago by @Erethon Activity log
  • Created automatic suggestion 11 months ago
  • @Erethon dismissed 10 months, 3 weeks ago
  • @Erethon accepted as draft 10 months, 3 weeks ago
WordPress Annie plugin <= 2.1.1 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie allows Cross Site Request Forgery.This issue affects Annie: from n/a through 2.1.1.

Affected products

annie
  • =<2.1.1

Matching in nixpkgs

pkgs.wannier90

Calculation of maximally localised Wannier functions

Package maintainers: 1

CVE-2025-23760
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 10 months, 3 weeks ago by @Erethon Activity log
  • Created automatic suggestion 11 months ago
  • @Erethon accepted as draft 10 months, 3 weeks ago
  • @Erethon dismissed 10 months, 3 weeks ago
  • @Erethon accepted as draft 10 months, 3 weeks ago
WordPress Chatter plugin <= 1.0.1 - CSRF to Stored XSS vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter allows Stored XSS. This issue affects Chatter: from n/a through 1.0.1.

Affected products

chatter
  • =<1.0.1

Matching in nixpkgs

pkgs.chatterino2

Chat client for Twitch chat

pkgs.haskellPackages.chatter

A library of simple NLP algorithms

pkgs.haskellPackages.chatter.x86_64-linux

A library of simple NLP algorithms

pkgs.haskellPackages.chatter.aarch64-linux

A library of simple NLP algorithms

pkgs.haskellPackages.chatter.x86_64-darwin

A library of simple NLP algorithms

pkgs.haskellPackages.chatter.aarch64-darwin

A library of simple NLP algorithms

Package maintainers: 3

CVE-2025-0502
updated 10 months, 3 weeks ago by @Erethon Activity log
  • Created automatic suggestion 11 months ago
  • @Erethon accepted as draft 10 months, 3 weeks ago
Transmission of Private Resources into a New Sphere in Crafter Engine

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.

Affected products

Engine
  • <4.0.8
  • <4.1.6

Matching in nixpkgs

pkgs.haskellPackages.Control-Engine

A parallel producer/consumer engine (thread pool)

pkgs.perl538Packages.XMLXPathEngine

Re-usable XPath engine for DOM-like trees

pkgs.perl540Packages.XMLXPathEngine

Re-usable XPath engine for DOM-like trees

pkgs.perl538Packages.ZonemasterEngine

Tool to check the quality of a DNS zone

pkgs.perl540Packages.ZonemasterEngine

Tool to check the quality of a DNS zone

pkgs.perl540Packages.XMLXPathEngine.x86_64-linux

Re-usable XPath engine for DOM-like trees

pkgs.perl540Packages.XMLXPathEngine.aarch64-linux

Re-usable XPath engine for DOM-like trees

pkgs.perl540Packages.XMLXPathEngine.x86_64-darwin

Re-usable XPath engine for DOM-like trees

pkgs.perl540Packages.XMLXPathEngine.aarch64-darwin

Re-usable XPath engine for DOM-like trees

pkgs.perl540Packages.ZonemasterEngine.x86_64-linux

Tool to check the quality of a DNS zone

pkgs.perl540Packages.ZonemasterEngine.aarch64-linux

Tool to check the quality of a DNS zone

pkgs.perl540Packages.ZonemasterEngine.x86_64-darwin

Tool to check the quality of a DNS zone

pkgs.perl540Packages.ZonemasterEngine.aarch64-darwin

Tool to check the quality of a DNS zone

CVE-2024-10270
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 1 year ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year ago
  • @LeSuisse accepted as draft 1 year ago
Org.keycloak:keycloak-services: keycloak denial of service

A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

Affected products

keycloak
  • <24.0.9
  • <26.0.6
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
org.keycloak/keycloak-services

Matching in nixpkgs

CVE-2024-9979
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year ago
  • @LeSuisse accepted as draft 1 year ago
Pyo3: risk of use-after-free in `borrowed` reads from python weak references

A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references.

Affected products

pyo3
  • <0.22.4
python3.11-nh3
python3.11-rpds-py
python3.11-cryptography
python3.12-cryptography

Matching in nixpkgs

Package maintainers: 1

CVE-2023-6717
6.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
updated 1 year ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year ago
  • @LeSuisse accepted as draft 1 year ago
Keycloak: xss via assertion consumer service url in saml post-binding flow

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

Affected products

keycloak
  • <22.0.10
  • <24.0.3
mta/mta-ui-rhel8
mta/mta-ui-rhel9
rh-sso7-keycloak
rhdh-hub-container
rhbk/keycloak-rhel9
  • *
rhdh/rhdh-hub-rhel9
org.keycloak/keycloak-core
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
openshift-gitops-1/gitops-rhel8-operator
openshift-serverless-1/logic-rhel8-operator
  • *
openshift-serverless-1/logic-operator-bundle
  • *
openshift-serverless-1/logic-swf-builder-rhel8
  • *
openshift-serverless-1/logic-swf-devmode-rhel8
  • *
openshift-serverless-1-logic-rhel8-operator-container
  • *
openshift-serverless-1/logic-data-index-ephemeral-rhel8
  • *
openshift-serverless-1-logic-swf-builder-rhel8-container
  • *
openshift-serverless-1-logic-swf-devmode-rhel8-container
  • *
openshift-serverless-1/logic-data-index-postgresql-rhel8
  • *
openshift-serverless-1/logic-jobs-service-ephemeral-rhel8
  • *
openshift-serverless-1/logic-jobs-service-postgresql-rhel8
  • *
openshift-serverless-1-logic-rhel8-operator-bundle-container
  • *
openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8
  • *
openshift-serverless-1-logic-data-index-ephemeral-rhel8-container
  • *
openshift-serverless-1-logic-data-index-postgresql-rhel8-container
  • *
openshift-serverless-1-logic-jobs-service-ephemeral-rhel8-container
  • *
openshift-serverless-1-logic-jobs-service-postgresql-rhel8-container
  • *
openshift-serverless-1-logic-kn-workflow-cli-artifacts-rhel8-container
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers: 3

CVE-2023-6291
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year ago
  • @LeSuisse accepted as draft 1 year ago
Keycloak: redirect_uri validation bypass

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

Affected products

keycloak
rh-sso7-keycloak
  • *
rhbk/keycloak-rhel9
  • *
org.keycloak/keycloak-core
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
rh-sso-7/sso76-openshift-rhel8
  • *
rh-sso-7/sso7-rhel8-operator-bundle
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers: 3

CVE-2024-8698
7.7 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year ago
  • @LeSuisse accepted as draft 1 year ago
Keycloak-saml-core: improper verification of saml responses leading to privilege escalation in keycloak

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

Affected products

keycloak
  • <25.0.5
eap8-hppc
  • *
eap8-log4j
  • *
eap8-slf4j
  • *
eap8-jctools
  • *
eap8-jgroups
  • *
eap8-wildfly
  • *
eap8-narayana
  • *
eap8-asyncutil
  • *
eap8-hibernate
  • *
eap8-saaj-impl
  • *
eap8-snakeyaml
  • *
eap8-apache-cxf
  • *
eap8-cryptacular
  • *
eap8-fastinfoset
  • *
rh-sso7-keycloak
  • *
eap8-aws-java-sdk
  • *
eap8-pem-keystore
  • *
eap8-aesh-readline
  • *
eap8-jboss-logging
  • *
eap8-objectweb-asm
  • *
eap8-artemis-native
  • *
rhbk/keycloak-rhel9
  • *
eap8-aesh-extensions
  • *
eap8-nimbus-jose-jwt
  • *
eap8-resteasy-spring
  • *
eap8-activemq-artemis
  • *
eap8-apache-commons-io
  • *
eap8-jboss-cert-helper
  • *
eap8-apache-commons-lang
  • *
eap8-hibernate-validator
  • *
eap8-resteasy-extensions
  • *
eap8-apache-commons-codec
  • *
eap8-insights-java-client
  • *
keycloak-saml-core-public
eap8-activemq-artemis-native
  • *
eap8-eap-product-conf-parent
  • *
eap8-shibboleth-java-support
  • *
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
rh-sso-7/sso76-openshift-rhel8
  • *
eap8-apache-commons-collections
  • *
org.keycloak/keycloak-saml-core
eap8-artemis-wildfly-integration
  • *
eap8-jakarta-servlet-jsp-jstl-api
  • *
org.keycloak/keycloak-saml-core-public

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers: 3