Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2025-0016
published 9 months, 2 weeks ago
Permalink CVE-2023-39329
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 9 months, 2 weeks ago by @Erethon Activity log
  • Created suggestion
  • @Erethon accepted
  • @Erethon published on GitHub

Openjpeg: resource exhaustion will occur in the opj_t1_decode_cblks function in the tcd.c


openjpeg
  • ==2.5.0
openjpeg2
gimp:flatpak/openjpeg2
inkscape:flatpak/openjpeg2
libreoffice:flatpak/openjpeg2
NIXPKGS-2025-0017
published 9 months, 2 weeks ago
Permalink CVE-2023-39328
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 9 months, 2 weeks ago by @Erethon Activity log
  • Created suggestion
  • @Erethon accepted
  • @Erethon published on GitHub

Openjpeg: denail of service via crafted image file


openjpeg
  • ==2.5.0
openjpeg2
gimp:flatpak/openjpeg2
inkscape:flatpak/openjpeg2
libreoffice:flatpak/openjpeg2
NIXPKGS-2025-0018
published 9 months, 2 weeks ago
Permalink CVE-2023-5824
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 9 months, 2 weeks ago by @Erethon Activity log
  • Created suggestion
  • @Erethon accepted
  • @Erethon published on GitHub

Squid: dos against http and https


squid
  • ==6.4
  • *
squid:4
  • *
NIXPKGS-2025-0019
published 9 months, 2 weeks ago
Permalink CVE-2023-4727
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 9 months, 2 weeks ago by @Erethon Activity log
  • Created suggestion
  • @Erethon accepted
  • @Erethon published on GitHub

Ca: token authentication bypass vulnerability


keycloak
  • <11.5.1
pki-core
  • *
pki-core:10.6
  • *
redhat-pki:10
  • *
pki-core:10.6/pki-core
redhat-pki:10/pki-core
NIXPKGS-2025-0015
published 9 months, 2 weeks ago
Permalink CVE-2025-1828
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 9 months, 2 weeks ago by @Erethon Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @Erethon published on GitHub

Perl's Crypt::Random module after 1.05 and before 1.56 may use rand() function for cryptographic functions


Crypt-Random
  • <1.56
NIXPKGS-2025-0014
published 9 months, 2 weeks ago
Permalink CVE-2025-31162
6.6 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 9 months, 2 weeks ago by @Erethon Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @mweinelt dismissed
  • @mweinelt accepted
  • @Erethon published on GitHub

fig2dev float point exception


fig2dev
  • ==3.2.9a
NIXPKGS-2025-0013
published 9 months, 2 weeks ago
Permalink CVE-2025-1399
3.1 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 9 months, 2 weeks ago by @Erethon Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @Erethon published on GitHub

Out-of-bounds Read in libplctag library


libplctag
  • =<2.6.3
NIXPKGS-2025-0012
published 9 months, 2 weeks ago
Permalink CVE-2025-30673
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 9 months, 2 weeks ago by @Erethon Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @Erethon published on GitHub

Sub::HandlesVia for Perl allows untrusted code to be included from the current working directory


Sub-HandlesVia
  • <0.050002
NIXPKGS-2025-0011
published 9 months, 2 weeks ago
Permalink CVE-2024-2947
7.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 9 months, 2 weeks ago by @Erethon Activity log
  • Created suggestion
  • @Erethon dismissed
  • @Erethon accepted
  • @Erethon published on GitHub

Cockpit: command injection when deleting a sosreport with a crafted name


cockpit
  • ==314
  • *
  • *
NIXPKGS-2025-0010
published 9 months, 3 weeks ago
Permalink CVE-2025-31384
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 9 months, 3 weeks ago by @Erethon Activity log
  • Created suggestion
  • @LeSuisse dismissed
  • @Erethon accepted
  • @Erethon added maintainer @Erethon maintainer.add
  • @Erethon deleted maintainer @Erethon maintainer.delete
  • @Erethon published on GitHub

WordPress Videos plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability


videos
  • =<1.0.5