Nixpkgs Security Tracker

CVE-2025-3640

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

created 6 months ago

Moodle: idor in web service allows users enrolled in a course to access some details of other users

A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access.

moodle

<4.5.4

<4.3.12

<4.1.18

<4.4.8

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

nixos-unstable 4.4.3
- nixos-unstable-small 4.4.4
- nixpkgs-unstable 4.4.3

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

nixos-unstable 2.3.12
- nixos-unstable-small 2.3.12
- nixpkgs-unstable 2.3.12

Package maintainers: 2

@freezeboy freezeboy

@kmein Kierán Meinhardt <kmein@posteo.de>

CVE-2025-3643

5.4 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 6 months ago

Moodle: reflected xss risk in policy tool

A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.

moodle

<4.5.4

<4.3.12

<4.1.18

<4.4.8

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

nixos-unstable 4.4.3
- nixos-unstable-small 4.4.4
- nixpkgs-unstable 4.4.3

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

nixos-unstable 2.3.12
- nixos-unstable-small 2.3.12
- nixpkgs-unstable 2.3.12

Package maintainers: 2

@freezeboy freezeboy

@kmein Kierán Meinhardt <kmein@posteo.de>

CVE-2025-3642

8.8 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 6 months ago

Moodle: authenticated remote code execution risk in the moodle lms equella repository

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled.

moodle

<4.4.8

<4.5.4

<4.3.12

<4.1.18

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

nixos-unstable 4.4.3
- nixos-unstable-small 4.4.4
- nixpkgs-unstable 4.4.3

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

nixos-unstable 2.3.12
- nixos-unstable-small 2.3.12
- nixpkgs-unstable 2.3.12

Package maintainers: 2

@freezeboy freezeboy

@kmein Kierán Meinhardt <kmein@posteo.de>

CVE-2025-46420

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

created 6 months ago

Libsoup: memory leak on soup_header_parse_quality_list() via soup-headers.c

A flaw was found in libsoup. It is vulnerable to memory leaks in the soup_header_parse_quality_list() function when parsing a quality list that contains elements with all zeroes.

libsoup

*

<3.6.3

libsoup3

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable 3.6.0
- nixos-unstable-small 3.6.0
- nixpkgs-unstable 3.6.0

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable 2.74.3
- nixos-unstable-small 2.74.3
- nixpkgs-unstable 2.74.3

pkgs.libsoup_3.x86_64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_3.aarch64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_3.x86_64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_2_4.x86_64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.libsoup_3.aarch64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_2_4.aarch64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.libsoup_2_4.x86_64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.libsoup_2_4.aarch64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

nixos-unstable 2.4
- nixos-unstable-small 2.4
- nixpkgs-unstable 2.4

Package maintainers: 6

@jtojnar Jan Tojnar <jtojnar@gmail.com>

@bobby285271 Bobby Rong <rjl931189261@126.com>

@lovek323 Jason O'Conal <jason@oconal.id.au>

@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>

@7c6f434c Michael Raskin <7c6f434c@mail.ru>

@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>

CVE-2025-46483

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

created 6 months ago

WordPress Peadig’s Google +1 Button <= 0.1.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Moss Peadig’s Google +1 Button allows DOM-Based XSS. This issue affects Peadig’s Google +1 Button: from n/a through 0.1.2.

google-1

=<0.1.2

pkgs.python311Packages.cirq-google

Framework for creating, editing, and invoking Noisy Intermediate Scale Quantum (NISQ) circuits

nixos-unstable 1.4.1
- nixos-unstable-small 1.4.1
- nixpkgs-unstable 1.4.1

pkgs.python312Packages.cirq-google

Framework for creating, editing, and invoking Noisy Intermediate Scale Quantum (NISQ) circuits

nixos-unstable 1.4.1
- nixos-unstable-small 1.4.1
- nixpkgs-unstable 1.4.1

Package maintainers: 2

@fabaff Fabian Affolter <mail@fabian-affolter.ch>

@drewrisinger Drew Risinger <drisinger+nixpkgs@gmail.com>

CVE-2024-25982

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

created 6 months ago

Msa-24-0005: csrf risk in language import utility

The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.

moodle

<4.1.9

<4.3.3

<4.2.6

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

nixos-unstable 4.4.3
- nixos-unstable-small 4.4.4
- nixpkgs-unstable 4.4.3

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

nixos-unstable 2.3.12
- nixos-unstable-small 2.3.12
- nixpkgs-unstable 2.3.12

Package maintainers: 2

@freezeboy freezeboy

@kmein Kierán Meinhardt <kmein@posteo.de>

CVE-2024-6387

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 6 months ago

Openssh: regresshion - race condition in ssh allows rce/dos

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

rhcos

*

OpenSSH

=<9.7p1

openssh

*

rhceph-6-rhel9

pkgs.openssh

Implementation of the SSH protocol

nixos-unstable 9.9p1
- nixos-unstable-small 9.9p1
- nixpkgs-unstable 9.9p1

pkgs.opensshTest

Implementation of the SSH protocol

nixos-unstable 9.9p1
- nixos-unstable-small 9.9p1
- nixpkgs-unstable 9.9p1

pkgs.openssh_hpn

Implementation of the SSH protocol with high performance networking patches

nixos-unstable 9.9p1
- nixos-unstable-small 9.9p1
- nixpkgs-unstable 9.9p1

pkgs.openssh_gssapi

Implementation of the SSH protocol with GSSAPI support

nixos-unstable 9.9p1
- nixos-unstable-small 9.9p1
- nixpkgs-unstable 9.9p1

pkgs.opensshWithKerberos

Implementation of the SSH protocol

nixos-unstable 9.9p1
- nixos-unstable-small 9.9p1
- nixpkgs-unstable 9.9p1

pkgs.openssh_hpnWithKerberos

Implementation of the SSH protocol with high performance networking patches

nixos-unstable 9.9p1
- nixos-unstable-small 9.9p1
- nixpkgs-unstable 9.9p1

pkgs.lxqt.lxqt-openssh-askpass

GUI to query passwords on behalf of SSH agents

nixos-unstable 2.1.0
- nixos-unstable-small 2.1.0
- nixpkgs-unstable 2.1.0

pkgs.perl538Packages.NetOpenSSH

Perl SSH client package implemented on top of OpenSSH

nixos-unstable 0.84
- nixos-unstable-small 0.84
- nixpkgs-unstable 0.84

pkgs.perl540Packages.NetOpenSSH

Perl SSH client package implemented on top of OpenSSH

nixos-unstable 0.84
- nixos-unstable-small 0.84
- nixpkgs-unstable 0.84

pkgs.perl540Packages.NetOpenSSH.x86_64-linux

Perl SSH client package implemented on top of OpenSSH

nixos-unstable ???
- nixpkgs-unstable 0.84

pkgs.perl540Packages.NetOpenSSH.aarch64-linux

Perl SSH client package implemented on top of OpenSSH

nixos-unstable ???
- nixpkgs-unstable 0.84

pkgs.perl540Packages.NetOpenSSH.x86_64-darwin

Perl SSH client package implemented on top of OpenSSH

nixos-unstable ???
- nixpkgs-unstable 0.84

pkgs.perl540Packages.NetOpenSSH.aarch64-darwin

Perl SSH client package implemented on top of OpenSSH

nixos-unstable ???
- nixpkgs-unstable 0.84

Package maintainers: 6

@dasJ Janne Heß <janne@hess.ooo>

@helsinki-Jo Joachim Ernst <joachim.ernst@helsinki-systems.de>

@Conni2461 Simon Hauser <simon-hauser@outlook.com>

@aneeshusa Aneesh Agrawal <aneeshusa@gmail.com>

@wahjava Ashish SHUKLA <ashish.is@lostca.se>

@romildo José Romildo Malaquias <malaquias@gmail.com>

CVE-2025-46443

4.9 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 6 months ago

WordPress Animate <= 0.5 - Server Side Request Forgery (SSRF) Vulnerability

Server-Side Request Forgery (SSRF) vulnerability in Adam Pery Animate allows Server Side Request Forgery. This issue affects Animate: from n/a through 0.5.

animate

=<0.5

pkgs.vimPlugins.mini-animate

nixos-unstable 2024-12-01
- nixos-unstable-small 2024-12-01
- nixpkgs-unstable 2024-12-01

CVE-2025-46505

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

created 6 months ago

WordPress Peekaboo <= 1.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in farinspace Peekaboo allows Stored XSS. This issue affects Peekaboo: from n/a through 1.1.

peekaboo

=<1.1

pkgs.vimPlugins.vim-peekaboo

nixos-unstable 2019-12-12
- nixos-unstable-small 2019-12-12
- nixpkgs-unstable 2019-12-12

pkgs.vimPlugins.vim-peekaboo.x86_64-linux

nixos-unstable ???
- nixos-unstable-small 2019-12-12

pkgs.vimPlugins.vim-peekaboo.aarch64-linux

nixos-unstable ???
- nixos-unstable-small 2019-12-12

pkgs.vimPlugins.vim-peekaboo.x86_64-darwin

nixos-unstable ???
- nixos-unstable-small 2019-12-12

pkgs.vimPlugins.vim-peekaboo.aarch64-darwin

nixos-unstable ???
- nixos-unstable-small 2019-12-12

CVE-2025-46421

6.8 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 6 months ago

Libsoup: information disclosure may leads libsoup client sends authorization header to a different host when being redirected by a server

A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.

libsoup

<3.6.5

*

libsoup3

*

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable 3.6.0
- nixos-unstable-small 3.6.0
- nixpkgs-unstable 3.6.0

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable 2.74.3
- nixos-unstable-small 2.74.3
- nixpkgs-unstable 2.74.3

pkgs.libsoup_3.x86_64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_3.aarch64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_3.x86_64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_2_4.x86_64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.libsoup_3.aarch64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 3.6.0

pkgs.libsoup_2_4.aarch64-linux

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.libsoup_2_4.x86_64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.libsoup_2_4.aarch64-darwin

HTTP client/server library for GNOME

nixos-unstable ???
- nixos-unstable-small 2.74.3

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

nixos-unstable 2.4
- nixos-unstable-small 2.4
- nixpkgs-unstable 2.4

Package maintainers: 6

@jtojnar Jan Tojnar <jtojnar@gmail.com>

@bobby285271 Bobby Rong <rjl931189261@126.com>

@lovek323 Jason O'Conal <jason@oconal.id.au>

@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>

@7c6f434c Michael Raskin <7c6f434c@mail.ru>

@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>

Automatically generated suggestions

pkgs.moodle

pkgs.moodle-dl

pkgs.moodle

pkgs.moodle-dl

pkgs.moodle

pkgs.moodle-dl

pkgs.libsoup_3

pkgs.libsoup_2_4

pkgs.libsoup_3.x86_64-linux

pkgs.libsoup_3.aarch64-linux

pkgs.libsoup_3.x86_64-darwin

pkgs.libsoup_2_4.x86_64-linux

pkgs.libsoup_3.aarch64-darwin

pkgs.libsoup_2_4.aarch64-linux

pkgs.libsoup_2_4.x86_64-darwin

pkgs.libsoup_2_4.aarch64-darwin

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

pkgs.python311Packages.cirq-google

pkgs.python312Packages.cirq-google

pkgs.moodle

pkgs.moodle-dl

pkgs.openssh

pkgs.opensshTest

pkgs.openssh_hpn

pkgs.openssh_gssapi

pkgs.opensshWithKerberos

pkgs.openssh_hpnWithKerberos

pkgs.lxqt.lxqt-openssh-askpass

pkgs.perl538Packages.NetOpenSSH

pkgs.perl540Packages.NetOpenSSH

pkgs.perl540Packages.NetOpenSSH.x86_64-linux

pkgs.perl540Packages.NetOpenSSH.aarch64-linux

pkgs.perl540Packages.NetOpenSSH.x86_64-darwin

pkgs.perl540Packages.NetOpenSSH.aarch64-darwin

pkgs.vimPlugins.mini-animate

pkgs.vimPlugins.vim-peekaboo

pkgs.vimPlugins.vim-peekaboo.x86_64-linux

pkgs.vimPlugins.vim-peekaboo.aarch64-linux

pkgs.vimPlugins.vim-peekaboo.x86_64-darwin

pkgs.vimPlugins.vim-peekaboo.aarch64-darwin

pkgs.libsoup_3

pkgs.libsoup_2_4

pkgs.libsoup_3.x86_64-linux

pkgs.libsoup_3.aarch64-linux

pkgs.libsoup_3.x86_64-darwin

pkgs.libsoup_2_4.x86_64-linux

pkgs.libsoup_3.aarch64-darwin

pkgs.libsoup_2_4.aarch64-linux

pkgs.libsoup_2_4.x86_64-darwin

pkgs.libsoup_2_4.aarch64-darwin

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"