Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2025-0019
published on 26 Sep 2025
Permalink CVE-2023-4727
updated 4 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 6 months ago
  • @Erethon accepted 4 months, 1 week ago
  • @Erethon published on GitHub 4 months, 1 week ago
Ca: token authentication bypass vulnerability

A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege.

Affected products

keycloak
  • <11.5.1
pki-core
  • *
pki-core:10.6
  • *
redhat-pki:10
  • *
pki-core:10.6/pki-core
redhat-pki:10/pki-core

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

pkgs.terraform-providers.keycloak

None

pkgs.python311Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

Package maintainers

NIXPKGS-2025-0018
published on 26 Sep 2025
Permalink CVE-2023-5824
updated 4 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 6 months ago
  • @Erethon accepted 4 months, 1 week ago
  • @Erethon published on GitHub 4 months, 1 week ago
Squid: dos against http and https

A flaw was found in Squid. The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is retrieved from the disk cache, resulting in a denial of service.

Affected products

squid
  • ==6.4
  • *
squid:4
  • *

Matching in nixpkgs

pkgs.squid

Caching proxy for the Web supporting HTTP, HTTPS, FTP, and more

pkgs.prometheus-squid-exporter

Squid Prometheus exporter

pkgs.python311Packages.flyingsquid

More interactive weak supervision with FlyingSquid

pkgs.python312Packages.flyingsquid

More interactive weak supervision with FlyingSquid

pkgs.python313Packages.flyingsquid

More interactive weak supervision with FlyingSquid

Package maintainers

NIXPKGS-2025-0017
published on 26 Sep 2025
Permalink CVE-2023-39328
updated 4 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 5 months, 4 weeks ago
  • @Erethon accepted 4 months, 1 week ago
  • @Erethon published on GitHub 4 months, 1 week ago
Openjpeg: denail of service via crafted image file

A vulnerability was found in OpenJPEG similar to CVE-2019-6988. This flaw allows an attacker to bypass existing protections and cause an application crash through a maliciously crafted file.

Affected products

openjpeg
  • ==2.5.0
openjpeg2
gimp:flatpak/openjpeg2
inkscape:flatpak/openjpeg2
libreoffice:flatpak/openjpeg2

Matching in nixpkgs

pkgs.openjpeg

Open-source JPEG 2000 codec written in C language

pkgs.python311Packages.pylibjpeg-openjpeg

A J2K and JP2 plugin for pylibjpeg

pkgs.python312Packages.pylibjpeg-openjpeg

A J2K and JP2 plugin for pylibjpeg

pkgs.python313Packages.pylibjpeg-openjpeg

A J2K and JP2 plugin for pylibjpeg

Package maintainers

NIXPKGS-2025-0015
published on 25 Sep 2025
Permalink CVE-2025-1828
updated 4 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 10 months, 3 weeks ago
  • @LeSuisse accepted 10 months, 3 weeks ago
  • @Erethon published on GitHub 4 months, 1 week ago
Perl's Crypt::Random module after 1.05 and before 1.56 may use rand() function for cryptographic functions

Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions. Crypt::Random::rand 1.05 through 1.55 uses the rand() function. If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not available Crypt::Random will default to use the insecure Crypt::Random::rand provider. In particular, Windows versions of perl will encounter this issue by default.

Affected products

Crypt-Random
  • <1.56

Matching in nixpkgs

pkgs.perl538Packages.CryptRandom

Interface to /dev/random and /dev/urandom

pkgs.perl540Packages.CryptRandom

Interface to /dev/random and /dev/urandom

pkgs.perl538Packages.CryptRandomSeed

Provide strong randomness for seeding

pkgs.perl540Packages.CryptRandomSeed

Provide strong randomness for seeding

pkgs.perl538Packages.CryptRandomSource

Get weak or strong random data from pluggable sources

pkgs.perl538Packages.CryptRandomTESHA2

Random numbers using timer/schedule entropy, aka userspace voodoo entropy

pkgs.perl540Packages.CryptRandomSource

Get weak or strong random data from pluggable sources

pkgs.perl540Packages.CryptRandomTESHA2

Random numbers using timer/schedule entropy, aka userspace voodoo entropy

Package maintainers

NIXPKGS-2025-0011
published on 25 Sep 2025
Permalink CVE-2024-2947
updated 4 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 7 months, 1 week ago
  • @Erethon dismissed 7 months, 1 week ago
  • @Erethon accepted 7 months, 1 week ago
  • @Erethon published on GitHub 4 months, 1 week ago
Cockpit: command injection when deleting a sosreport with a crafted name

A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.

Affected products

cockpit
  • ==314
  • *
  • *

Matching in nixpkgs

NIXPKGS-2025-0012
published on 25 Sep 2025
Permalink CVE-2025-30673
updated 4 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 10 months ago
  • @LeSuisse accepted 9 months, 4 weeks ago
  • @Erethon published on GitHub 4 months, 1 week ago
Sub::HandlesVia for Perl allows untrusted code to be included from the current working directory

Sub::HandlesVia for Perl before 0.050002 allows untrusted code from the current working directory ('.') to be loaded similar to CVE-2016-1238. If an attacker can place a malicious file in current working directory, it may be loaded instead of the intended file, potentially leading to arbitrary code execution. Sub::HandlesVia uses Mite to produce the affected code section due to CVE-2025-30672

Affected products

Sub-HandlesVia
  • <0.050002

Matching in nixpkgs

pkgs.perl538Packages.SubHandlesVia

Alternative handles_via implementation

pkgs.perl540Packages.SubHandlesVia

Alternative handles_via implementation

NIXPKGS-2025-0013
published on 25 Sep 2025
Permalink CVE-2025-1399
updated 4 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 8 months, 3 weeks ago
  • @LeSuisse accepted 8 months, 2 weeks ago
  • @Erethon published on GitHub 4 months, 1 week ago
Out-of-bounds Read in libplctag library

Out-of-bounds Read vulnerability in unpack_response (session.c) in libplctag from 2.0 through 2.6.3 allows Overread Buffers via network.

Affected products

libplctag
  • =<2.6.3

Matching in nixpkgs

pkgs.libplctag

Library that uses EtherNet/IP or Modbus TCP to read and write tags in PLCs

Package maintainers

NIXPKGS-2025-0014
published on 25 Sep 2025
Permalink CVE-2025-31162
updated 4 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 10 months ago
  • @LeSuisse accepted 9 months, 4 weeks ago
  • @mweinelt dismissed 8 months, 3 weeks ago
  • @mweinelt accepted 8 months, 3 weeks ago
  • @Erethon published on GitHub 4 months, 1 week ago
fig2dev float point exception

Floating point exception in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via get_slope function.

Affected products

fig2dev
  • ==3.2.9a

Matching in nixpkgs

pkgs.fig2dev

Tool to convert Xfig files to other formats

Package maintainers

NIXPKGS-2025-0010
published on 23 Sep 2025
Permalink CVE-2025-31384
updated 4 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 9 months, 4 weeks ago
  • @LeSuisse dismissed 9 months, 4 weeks ago
  • @Erethon accepted 7 months, 1 week ago
  • @Erethon added maintainer @Erethon 4 months, 2 weeks ago
  • @Erethon removed maintainer @Erethon 4 months, 2 weeks ago
  • @Erethon published on GitHub 4 months, 1 week ago
WordPress Videos plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos allows Reflected XSS.This issue affects Videos: from n/a through 1.0.5.

Affected products

videos
  • =<1.0.5

Matching in nixpkgs

pkgs.pantheon.elementary-videos

Video player and library app designed for elementary OS

Package maintainers

NIXPKGS-2025-0008
published on 19 Sep 2025
Permalink CVE-2025-53882
updated 4 months, 2 weeks ago by @Erethon Activity log
  • Created automatic suggestion 6 months, 1 week ago
  • @Erethon accepted 6 months, 1 week ago
  • @Erethon published on GitHub 4 months, 2 weeks ago
python-mailmans logrotate configuration allows potential escalation from mailman to root

A Reliance on Untrusted Inputs in a Security Decision vulnerability in the logrotate configuration for openSUSEs mailman3 package allows potential escalation from mailman to rootThis issue affects openSUSE Tumbleweed: from ? before 3.3.10-2.1.

Affected products

mailman3
  • <3.3.10-2.1

Matching in nixpkgs

Package maintainers