Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2025-0007
published on 18 Sep 2025
Permalink CVE-2025-30192
updated 4 months, 2 weeks ago by @Erethon Activity log
  • Created automatic suggestion 6 months, 1 week ago
  • @Erethon accepted 6 months, 1 week ago
  • @Erethon removed maintainer @rnhmjoj 4 months, 2 weeks ago
  • @Erethon added maintainer @Erethon 4 months, 2 weeks ago
  • @Erethon published on GitHub 4 months, 2 weeks ago
A Recursor configured to send out ECS enabled queries can be sensitive to spoofing attempts

An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforcing stricter validation of the received answers. The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled.

Affected products

pdns-recursor
  • ==5.1.6
  • ==5.0.12
  • ==5.2.4

Matching in nixpkgs

pkgs.pdns-recursor

Recursive DNS server

Package maintainers

Ignored maintainers (1)

Additional maintainers

NIXPKGS-2025-0006
published on 17 Sep 2025
Permalink CVE-2025-47444
updated 4 months, 2 weeks ago by @Erethon Activity log
  • Created automatic suggestion 5 months, 2 weeks ago
  • @Erethon accepted 4 months, 2 weeks ago
  • @Erethon published on GitHub 4 months, 2 weeks ago
WordPress GiveWP Plugin < 4.6.1 is vulnerable to Sensitive Data (PII) Exposure

Insertion of Sensitive Information Into Sent Data vulnerability in Liquid Web GiveWP allows Retrieve Embedded Sensitive Data.This issue affects GiveWP: from n/a before 4.6.1.

Affected products

give
  • <4.6.1

Matching in nixpkgs

NIXPKGS-2025-0005
published on 17 Sep 2025
Permalink CVE-2023-39327
updated 4 months, 2 weeks ago by @Erethon Activity log
  • Created automatic suggestion 5 months, 4 weeks ago
  • @Erethon accepted 4 months, 2 weeks ago
  • @Erethon published on GitHub 4 months, 2 weeks ago
Openjpeg: malicious files can cause the program to enter a large loop

A flaw was found in OpenJPEG. Maliciously constructed pictures can cause the program to enter a large loop and continuously print warning messages on the terminal.

Affected products

openjpeg
  • ==2.5.0
openjpeg2
gimp:flatpak/openjpeg2
inkscape:flatpak/openjpeg2
libreoffice:flatpak/openjpeg2

Matching in nixpkgs

pkgs.openjpeg

Open-source JPEG 2000 codec written in C language

pkgs.python311Packages.pylibjpeg-openjpeg

A J2K and JP2 plugin for pylibjpeg

pkgs.python312Packages.pylibjpeg-openjpeg

A J2K and JP2 plugin for pylibjpeg

pkgs.python313Packages.pylibjpeg-openjpeg

A J2K and JP2 plugin for pylibjpeg

Package maintainers

NIXPKGS-2025-0004
published on 16 Sep 2025
Permalink CVE-2025-40920
updated 4 months, 2 weeks ago by @Erethon Activity log
  • Created automatic suggestion 5 months, 2 weeks ago
  • @Erethon accepted 4 months, 2 weeks ago
  • @Erethon published on GitHub 4 months, 2 weeks ago
Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl use insecurely generated nonces

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.

Affected products

Catalyst-Authentication-Credential-HTTP
  • =<1.018

Matching in nixpkgs

pkgs.perl538Packages.CatalystAuthenticationCredentialHTTP

HTTP Basic and Digest authentication for Catalyst

pkgs.perl540Packages.CatalystAuthenticationCredentialHTTP

HTTP Basic and Digest authentication for Catalyst

NIXPKGS-2025-0002
published on 24 May 2025
Permalink CVE-2018-25110
updated 8 months, 1 week ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 8 months, 1 week ago
  • @fricklerhandwerk accepted 8 months, 1 week ago
  • @fricklerhandwerk published on GitHub 8 months, 1 week ago
Regular Expression Denial of Service (ReDoS) in markedjs/marked

Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.

Affected products

marked
  • <0.3.17

Matching in nixpkgs

pkgs.marked-man

Markdown to roff wrapper around marked

Package maintainers

NIXPKGS-2025-0001
published on 13 May 2025
Permalink CVE-2025-26466
updated 8 months, 3 weeks ago by @mweinelt Activity log
  • Created automatic suggestion 11 months ago
  • @fricklerhandwerk accepted 10 months, 3 weeks ago
  • @mweinelt published on GitHub 8 months, 3 weeks ago
Openssh: denial-of-service in openssh

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.

Affected products

rhcos
OpenSSH
  • =<9.9p1
openssh

Matching in nixpkgs

pkgs.openssh

Implementation of the SSH protocol

pkgs.opensshTest

Implementation of the SSH protocol

pkgs.openssh_hpn

Implementation of the SSH protocol with high performance networking patches

pkgs.openssh_gssapi

Implementation of the SSH protocol with GSSAPI support

Package maintainers

NIXPKGS-2024-0001
published on 13 Dec 2024
Permalink CVE-2024-9675
created 1 year, 1 month ago
Buildah: buildah allows arbitrary directory mount

A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.

Affected products

cri-o
conmon
podman
  • *
skopeo
buildah
  • <1.38.0
  • *
buildah-container
container-tools:rhel8
  • *
quay/quay-builder-rhel8
ocp-tools-4/jenkins-rhel8
container-tools:rhel8/conmon
container-tools:rhel8/podman
container-tools:rhel8/skopeo
container-tools:rhel8/buildah
openshift4/ose-docker-builder
  • *
openshift4/ose-docker-builder-rhel9
  • *
ocp-tools-4/jenkins-agent-base-rhel8
openshift-enterprise-builder-container
  • *

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

pkgs.podman

Program for managing pods, containers and container images

pkgs.skopeo

Command line utility for various operations on container images and image repositories

pkgs.buildah

Tool which facilitates building OCI images

pkgs.conmon-rs

OCI container runtime monitor written in Rust

pkgs.podman-tui

Podman Terminal UI

pkgs.podman-compose

Implementation of docker-compose with podman backend

pkgs.podman-desktop

A graphical tool for developing on containers and Kubernetes

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

pkgs.buildah-unwrapped

Tool which facilitates building OCI images

pkgs.nomad-driver-podman

Podman task driver for Nomad

pkgs.python311Packages.podman

Python bindings for Podman's RESTful API

pkgs.python312Packages.podman

Python bindings for Podman's RESTful API

Package maintainers