Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2025-0008
published 9 months, 3 weeks ago
Permalink CVE-2025-53882
9.1 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 9 months, 3 weeks ago by @Erethon Activity log
  • Created suggestion
  • @Erethon accepted
  • @Erethon published on GitHub

python-mailmans logrotate configuration allows potential escalation from mailman to root


mailman3
  • <3.3.10-2.1
NIXPKGS-2025-0007
published 9 months, 3 weeks ago
Permalink CVE-2025-30192
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 9 months, 3 weeks ago by @Erethon Activity log
  • Created suggestion
  • @Erethon accepted
  • @Erethon deleted maintainer @rnhmjoj maintainer.delete
  • @Erethon added maintainer @Erethon maintainer.add
  • @Erethon published on GitHub

A Recursor configured to send out ECS enabled queries can be sensitive to spoofing attempts


pdns-recursor
  • ==5.0.12
  • ==5.2.4
  • ==5.1.6
NIXPKGS-2025-0006
published 9 months, 4 weeks ago
Permalink CVE-2025-47444
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 9 months, 4 weeks ago by @Erethon Activity log
  • Created suggestion
  • @Erethon accepted
  • @Erethon published on GitHub

WordPress GiveWP Plugin < 4.6.1 is vulnerable to Sensitive Data (PII) Exposure


give
  • <4.6.1
NIXPKGS-2025-0005
published 9 months, 4 weeks ago
Permalink CVE-2023-39327
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 9 months, 4 weeks ago by @Erethon Activity log
  • Created suggestion
  • @Erethon accepted
  • @Erethon published on GitHub

Openjpeg: malicious files can cause the program to enter a large loop


openjpeg
  • ==2.5.0
openjpeg2
gimp:flatpak/openjpeg2
inkscape:flatpak/openjpeg2
libreoffice:flatpak/openjpeg2
NIXPKGS-2025-0004
published 9 months, 4 weeks ago
Permalink CVE-2025-40920
8.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 9 months, 4 weeks ago by @Erethon Activity log
  • Created suggestion
  • @Erethon accepted
  • @Erethon published on GitHub

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl use insecurely generated nonces


Catalyst-Authentication-Credential-HTTP
  • =<1.018
NIXPKGS-2025-0002
published 1 year, 1 month ago
updated 1 year, 1 month ago by @fricklerhandwerk Activity log
  • Created suggestion
  • @fricklerhandwerk accepted
  • @fricklerhandwerk published on GitHub

Regular Expression Denial of Service (ReDoS) in markedjs/marked


marked
  • <0.3.17
NIXPKGS-2025-0001
published 1 year, 2 months ago
Permalink CVE-2025-26466
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 year, 2 months ago by @mweinelt Activity log
  • Created suggestion
  • @fricklerhandwerk accepted
  • @mweinelt published on GitHub

Openssh: denial-of-service in openssh


rhcos
OpenSSH
  • =<9.9p1
openssh
NIXPKGS-2024-0001
published 1 year, 7 months ago
Permalink CVE-2024-9675
4.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @ADMIN Activity log
  • @ADMIN published on GitHub

Buildah: buildah allows arbitrary directory mount


cri-o
conmon
podman
  • *
skopeo
buildah
  • <1.38.0
  • *
buildah-container
container-tools:rhel8
  • *
quay/quay-builder-rhel8
ocp-tools-4/jenkins-rhel8
container-tools:rhel8/conmon
container-tools:rhel8/podman
container-tools:rhel8/skopeo
container-tools:rhel8/buildah
openshift4/ose-docker-builder
  • *
openshift4/ose-docker-builder-rhel9
  • *
ocp-tools-4/jenkins-agent-base-rhel8
openshift-enterprise-builder-container
  • *