Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2025-6545
created 5 months, 3 weeks ago
pbkdf2 silently returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos supported by Node.js

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2.

Affected products

pbkdf2
  • =<3.1.2

Matching in nixpkgs

pkgs.fastpbkdf2

Fast PBKDF2-HMAC-{SHA1,SHA256,SHA512} implementation in C

pkgs.python312Packages.pbkdf2.x86_64-linux

pkgs.python312Packages.pbkdf2.aarch64-linux

pkgs.python312Packages.pbkdf2.x86_64-darwin

pkgs.python312Packages.pbkdf2.aarch64-darwin

Package maintainers: 3

CVE-2025-5416
2.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 5 months, 3 weeks ago
Keycloak-core: keycloak environment information

A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

Affected products

keycloak

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

pkgs.python311Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.x86_64-linux

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.aarch64-linux

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.x86_64-darwin

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.aarch64-darwin

Provides access to the Keycloak API

Package maintainers: 3

CVE-2025-6019
7.0 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 5 months, 4 weeks ago
Libblockdev: lpe from allow_active to root in libblockdev via udisks

A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.

Affected products

libblockdev
  • *
  • <3.3.1

Matching in nixpkgs

pkgs.libblockdev

Library for manipulating block devices

Package maintainers: 1

CVE-2025-6384
created 5 months, 4 weeks ago
Improper Control of Dynamically-Managed Code Resources in Crafter Studio

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution). This issue affects CrafterCMS: from 4.0.0 through 4.2.2.

Affected products

Studio
  • <4.3.0

Matching in nixpkgs

pkgs.rstudio.x86_64-linux

Set of integrated tools for the R language

pkgs.rstudio-server.x86_64-linux

Set of integrated tools for the R language

pkgs.vscode-extensions.visualstudiotoolsforunity.vstuc

Integrates Visual Studio Code for Unity

pkgs.vscode-extensions.visualstudioexptteam.vscodeintellicode

AI-assisted development

pkgs.vscode-extensions.visualstudioexptteam.intellicode-api-usage-examples

See relevant code examples from GitHub for over 100K different APIs right in your editor

pkgs.vscode-extensions.visualstudioexptteam.vscodeintellicode.x86_64-linux

AI-assisted development

pkgs.vscode-extensions.visualstudioexptteam.vscodeintellicode.aarch64-linux

AI-assisted development

pkgs.vscode-extensions.visualstudioexptteam.vscodeintellicode.x86_64-darwin

AI-assisted development

pkgs.vscode-extensions.visualstudioexptteam.vscodeintellicode.aarch64-darwin

AI-assisted development

pkgs.vscode-extensions.visualstudioexptteam.intellicode-api-usage-examples.x86_64-linux

See relevant code examples from GitHub for over 100K different APIs right in your editor

pkgs.vscode-extensions.visualstudioexptteam.intellicode-api-usage-examples.aarch64-linux

See relevant code examples from GitHub for over 100K different APIs right in your editor

pkgs.vscode-extensions.visualstudioexptteam.intellicode-api-usage-examples.x86_64-darwin

See relevant code examples from GitHub for over 100K different APIs right in your editor

pkgs.vscode-extensions.visualstudioexptteam.intellicode-api-usage-examples.aarch64-darwin

See relevant code examples from GitHub for over 100K different APIs right in your editor

Package maintainers: 5

CVE-2025-49178
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Xorg-x11-server-xwayland: xorg-x11-server: tigervnc: unprocessed client request due to bytes to ignore

A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service.

Affected products

tigervnc
  • *
xwayland
  • <24.1.7
xorg-x11-server
  • *
xorg-x11-server-Xwayland
  • *

Matching in nixpkgs

CVE-2023-6258
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Pkcs11-provider: side-channel proofing pkcs#1 1.5 paths

A security vulnerability has been identified in the pkcs11-provider, which is associated with Public-Key Cryptography Standards (PKCS#11). If exploited successfully, this vulnerability could result in a Bleichenbacher-like security flaw, potentially enabling a side-channel attack on PKCS#1 1.5 decryption.

Affected products

pkcs11-provider

Matching in nixpkgs

pkgs.pkcs11-provider

OpenSSL 3.x provider to access hardware or software tokens using the PKCS#11 Cryptographic Token Interface

pkgs.pkcs11-provider.x86_64-linux

OpenSSL 3.x provider to access hardware or software tokens using the PKCS#11 Cryptographic Token Interface

pkgs.pkcs11-provider.aarch64-linux

OpenSSL 3.x provider to access hardware or software tokens using the PKCS#11 Cryptographic Token Interface

pkgs.pkcs11-provider.x86_64-darwin

OpenSSL 3.x provider to access hardware or software tokens using the PKCS#11 Cryptographic Token Interface

pkgs.pkcs11-provider.aarch64-darwin

OpenSSL 3.x provider to access hardware or software tokens using the PKCS#11 Cryptographic Token Interface

Package maintainers: 1

CVE-2023-6476
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Cri-o: pods are able to break out of resource confinement on cgroupv2

A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.

Affected products

cri-o
  • *
cri-o:1.21/cri-o

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

Package maintainers: 2

CVE-2025-6196
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Libgepub: integer overflow in libgepub's epub archive handling

A flaw was found in libgepub, a library used to read EPUB files. The software mishandles file size calculations when opening specially crafted EPUB files, leading to incorrect memory allocations. This issue causes the application to crash. Known affected usage includes desktop services like Tumbler, which may process malicious files automatically when browsing directories. While no direct remote attack vectors are confirmed, any application using libgepub to parse user-supplied EPUB content could be vulnerable to a denial of service.

Affected products

libgepub
  • <0.7.2

Matching in nixpkgs

pkgs.libgepub

GObject based library for handling and rendering epub documents

Package maintainers: 4

CVE-2025-49258
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
WordPress Maia <= 1.1.15 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Maia allows PHP Local File Inclusion. This issue affects Maia: from n/a through 1.1.15.

Affected products

maia
  • =<1.1.15

Matching in nixpkgs

Package maintainers: 2

CVE-2024-0409
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Xorg-x11-server: selinux context corruption

A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.

Affected products

tigervnc
xorg-server
  • <21.1.11
xorg-x11-server
  • *
xorg-x11-server-Xwayland
  • *

Matching in nixpkgs