Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2025-4478
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
created 7 months ago
Gnome-remote-desktop: unauthenticated rdp packet causes segfault in gnome-remote-desktop leading to denial of service

A flaw was found in the gnome-remote-desktop used by Anaconda's remote install feature, where a crafted RDP packet could trigger a segmentation fault. This issue causes the service to crash and remain defunct, resulting in a denial of service. It occurs pre-boot and is likely due to a NULL pointer dereference. Rebooting is required to recover the system.

Affected products

freerdp
  • *
  • <3.16.0
gnome-remote-desktop

Matching in nixpkgs

pkgs.gnome-remote-desktop

GNOME Remote Desktop server

Package maintainers: 4

CVE-2025-40906
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 7 months ago
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities

BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.

Affected products

BSON-XS
  • =<0.8.4

Matching in nixpkgs

pkgs.perl538Packages.BSONXS

XS implementation of MongoDB's BSON serialization (EOL)

pkgs.perl540Packages.BSONXS

XS implementation of MongoDB's BSON serialization (EOL)

CVE-2025-40907
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 7 months ago
FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library

FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library. The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.

Affected products

FCGI
  • =<0.82

Matching in nixpkgs

pkgs.perl538Packages.FCGI

Fast CGI module

pkgs.perl540Packages.FCGI

Fast CGI module

pkgs.perl538Packages.FCGIClient

Client library for fastcgi protocol

pkgs.perl540Packages.FCGIClient

Client library for fastcgi protocol

pkgs.perl538Packages.FCGIProcManager

Perl-based FastCGI process manager

pkgs.perl540Packages.FCGIProcManager

Perl-based FastCGI process manager

CVE-2025-4476
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 7 months ago
Libsoup: null pointer dereference in libsoup may lead to denial of service

A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receives a 401 (Unauthorized) HTTP response containing a specifically crafted domain parameter within the WWW-Authenticate header. Processing this malformed header can lead to a crash of the client application using libsoup. An attacker could exploit this by setting up a malicious HTTP server. If a user's application using the vulnerable libsoup library connects to this malicious server, it could result in a denial-of-service. Successful exploitation requires tricking a user's client application into connecting to the attacker's malicious server.

Affected products

libsoup
  • <3.6.6
libsoup3

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

pkgs.libsoup_2_4

HTTP client/server library for GNOME

pkgs.libsoup_3.x86_64-linux

HTTP client/server library for GNOME

pkgs.libsoup_3.aarch64-linux

HTTP client/server library for GNOME

pkgs.libsoup_3.x86_64-darwin

HTTP client/server library for GNOME

pkgs.libsoup_2_4.x86_64-linux

HTTP client/server library for GNOME

pkgs.libsoup_3.aarch64-darwin

HTTP client/server library for GNOME

pkgs.libsoup_2_4.aarch64-linux

HTTP client/server library for GNOME

pkgs.libsoup_2_4.x86_64-darwin

HTTP client/server library for GNOME

pkgs.libsoup_2_4.aarch64-darwin

HTTP client/server library for GNOME

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

Package maintainers: 6

CVE-2025-31639
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 7 months ago
WordPress Spare <= 1.7 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in themeton Spare allows Cross Site Request Forgery. This issue affects Spare: from n/a through 1.7.

Affected products

spare
  • =<1.7

Matching in nixpkgs

pkgs.asciiquarium-transparent

Aquarium/sea animation in ASCII art (with option of transparent background)

pkgs.gnomeExtensions.transparent-top-bar

Bring back the transparent top bar when free-floating in GNOME Shell 3.32.

  • nixos-unstable 23
    • nixos-unstable-small 23
    • nixpkgs-unstable 23

pkgs.vimPlugins.transparent-nvim.x86_64-linux

pkgs.gnomeExtensions.transparent-window-moving

Makes the window semi-transparent when moving or resizing

  • nixos-unstable 18
    • nixos-unstable-small 18
    • nixpkgs-unstable 18

pkgs.vimPlugins.transparent-nvim.aarch64-linux

pkgs.vimPlugins.transparent-nvim.x86_64-darwin

pkgs.vimPlugins.transparent-nvim.aarch64-darwin

pkgs.gnomeExtensions.transparent-top-bar-adjustable-transparency

Fork of: https://github.com/zhanghai/gnome-shell-extension-transparent-top-bar

  • nixos-unstable 21
    • nixos-unstable-small 21
    • nixpkgs-unstable 21

Package maintainers: 4

CVE-2024-4981
7.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 7 months ago by @mweinelt Activity log
  • Created automatic suggestion 7 months ago
  • @mweinelt dismissed 7 months ago
  • @mweinelt marked as untriaged 7 months ago
Pagure: _update_file_in_git() follows symbolic links in temporary clones

A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo.

Affected products

pagure
  • <5.14.1

Matching in nixpkgs

pkgs.haskellPackages.pagure

Pagure REST client library

pkgs.haskellPackages.pagure-cli

Pagure client

CVE-2024-4982
7.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 7 months ago
Pagure: path traversal in view_issue_raw_file()

A directory traversal vulnerability was discovered in Pagure server. If a malicious user submits a specially cratfted git repository they could discover secrets on the server.

Affected products

pagure
  • <5.14.1

Matching in nixpkgs

pkgs.haskellPackages.pagure

Pagure REST client library

pkgs.haskellPackages.pagure-cli

Pagure client

CVE-2024-24762
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 7 months, 1 week ago
python-multipart vulnerable to content-type header Regular expression Denial of Service

`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

Affected products

fastapi
  • <0.109.1
startlette
  • <0.36.2
python-multipart
  • <0.0.7

Matching in nixpkgs

pkgs.fastapi-cli

Run and manage FastAPI apps from the command line with FastAPI CLI

pkgs.python311Packages.fastapi

Web framework for building APIs

pkgs.python312Packages.fastapi

Web framework for building APIs

pkgs.python311Packages.fastapi-cli

Run and manage FastAPI apps from the command line with FastAPI CLI

pkgs.python311Packages.fastapi-sso

FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account

pkgs.python312Packages.fastapi-cli

Run and manage FastAPI apps from the command line with FastAPI CLI

pkgs.python312Packages.fastapi-sso

FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account

pkgs.python311Packages.fastapi-mail

Module for sending emails and attachments

pkgs.python312Packages.fastapi-mail

Module for sending emails and attachments

pkgs.python311Packages.python-multipart

Streaming multipart parser for Python

pkgs.python312Packages.python-multipart

Streaming multipart parser for Python

pkgs.python312Packages.python-multipart.x86_64-linux

Streaming multipart parser for Python

pkgs.python312Packages.python-multipart.aarch64-linux

Streaming multipart parser for Python

pkgs.python312Packages.python-multipart.x86_64-darwin

Streaming multipart parser for Python

pkgs.python312Packages.python-multipart.aarch64-darwin

Streaming multipart parser for Python

pkgs.python311Packages.prometheus-fastapi-instrumentator

Instrument FastAPI with Prometheus metrics

pkgs.python312Packages.prometheus-fastapi-instrumentator

Instrument FastAPI with Prometheus metrics

pkgs.python311Packages.opentelemetry-instrumentation-fastapi

OpenTelemetry Instrumentation for fastapi

pkgs.python312Packages.opentelemetry-instrumentation-fastapi

OpenTelemetry Instrumentation for fastapi

pkgs.python312Packages.prometheus-fastapi-instrumentator.x86_64-linux

Instrument FastAPI with Prometheus metrics

pkgs.python312Packages.prometheus-fastapi-instrumentator.aarch64-linux

Instrument FastAPI with Prometheus metrics

pkgs.python312Packages.opentelemetry-instrumentation-fastapi.x86_64-linux

OpenTelemetry Instrumentation for fastapi

pkgs.python312Packages.opentelemetry-instrumentation-fastapi.aarch64-linux

OpenTelemetry Instrumentation for fastapi

pkgs.python312Packages.opentelemetry-instrumentation-fastapi.x86_64-darwin

OpenTelemetry Instrumentation for fastapi

pkgs.python312Packages.opentelemetry-instrumentation-fastapi.aarch64-darwin

OpenTelemetry Instrumentation for fastapi

Package maintainers: 7

CVE-2025-47509
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 7 months, 1 week ago
WordPress Top 10 <= 4.1.0 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Top 10 allows Stored XSS. This issue affects Top 10: from n/a through 4.1.0.

Affected products

top-10
  • =<4.1.0

Matching in nixpkgs

pkgs.budgie-desktop

Feature-rich, modern desktop designed to keep out the way of the user

pkgs.gnomeExtensions.pip-on-top

Makes "Picture-in-Picture" windows stay on top (even on Wayland session). Compatible with Firefox, but may work with few other browsers too.

  • nixos-unstable 10
    • nixos-unstable-small 10
    • nixpkgs-unstable 10

pkgs.gnomeExtensions.show-apps-at-top

Put show apps icon at top in Gnome default dash

Package maintainers: 3

CVE-2023-20587
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 7 months, 1 week ago
Improper Access Control in System Management Mode (SMM) may allow …

Improper Access Control in System Management Mode (SMM) may allow an attacker access to the SPI flash potentially leading to arbitrary code execution.

Affected products

PI
  • ==various
  • ==various

Matching in nixpkgs

pkgs.spoofdpi

Simple and fast anti-censorship tool written in Go

pkgs.perl538Packages.PPI

Parse, Analyze and Manipulate Perl (without perl)

pkgs.perl540Packages.PPI

Parse, Analyze and Manipulate Perl (without perl)

pkgs.haskellPackages.hsPID

PID control loop

pkgs.spirv-llvm-translator

Tool and a library for bi-directional translation between SPIR-V and LLVM IR

pkgs.spoofdpi.x86_64-linux

Simple and fast anti-censorship tool written in Go

pkgs.perl538Packages.GSSAPI

Perl extension providing access to the GSSAPIv2 library

pkgs.perl540Packages.GSSAPI

Perl extension providing access to the GSSAPIv2 library

pkgs.spoofdpi.aarch64-linux

Simple and fast anti-censorship tool written in Go

pkgs.spoofdpi.x86_64-darwin

Simple and fast anti-censorship tool written in Go

pkgs.spoofdpi.aarch64-darwin

Simple and fast anti-censorship tool written in Go

pkgs.haskellPackages.EdisonAPI

A library of efficient, purely-functional data structures (API)

pkgs.perl538Packages.PPIxUtils

Utility functions for PPI

pkgs.perl540Packages.PPIxUtils

Utility functions for PPI

pkgs.perl538Packages.PPIxRegexp

Parse regular expressions

pkgs.perl540Packages.PPIxRegexp

Parse regular expressions

pkgs.perl538Packages.ProcPIDFile

Manage process id files

pkgs.perl540Packages.ProcPIDFile

Manage process id files

pkgs.perl538Packages.WWWTwilioAPI

Accessing Twilio's REST API with Perl

pkgs.perl540Packages.WWWTwilioAPI

Accessing Twilio's REST API with Perl

pkgs.perl538Packages.OpenAPIClient

Client for talking to an Open API powered server

pkgs.perl538Packages.PPIxQuoteLike

Parse Perl string literals and string-literal-like things

pkgs.perl540Packages.OpenAPIClient

Client for talking to an Open API powered server

pkgs.perl540Packages.PPIxQuoteLike

Parse Perl string literals and string-literal-like things

pkgs.perl540Packages.PPI.x86_64-linux

Parse, Analyze and Manipulate Perl (without perl)

pkgs.perl540Packages.PPI.aarch64-linux

Parse, Analyze and Manipulate Perl (without perl)

pkgs.perl540Packages.PPI.x86_64-darwin

Parse, Analyze and Manipulate Perl (without perl)

pkgs.haskellPackages.hsPID.x86_64-linux

PID control loop

pkgs.perl540Packages.PPI.aarch64-darwin

Parse, Analyze and Manipulate Perl (without perl)

pkgs.spirv-llvm-translator.x86_64-linux

Tool and a library for bi-directional translation between SPIR-V and LLVM IR

pkgs.haskellPackages.hsPID.aarch64-linux

PID control loop

pkgs.haskellPackages.hsPID.x86_64-darwin

PID control loop

pkgs.spirv-llvm-translator.aarch64-linux

Tool and a library for bi-directional translation between SPIR-V and LLVM IR

pkgs.spirv-llvm-translator.x86_64-darwin

Tool and a library for bi-directional translation between SPIR-V and LLVM IR

pkgs.haskellPackages.hsPID.aarch64-darwin

PID control loop

pkgs.perl540Packages.PDFAPI2.x86_64-linux

Create, modify, and examine PDF files

pkgs.spirv-llvm-translator.aarch64-darwin

Tool and a library for bi-directional translation between SPIR-V and LLVM IR

pkgs.perl540Packages.PDFAPI2.aarch64-linux

Create, modify, and examine PDF files

pkgs.perl540Packages.PDFAPI2.x86_64-darwin

Create, modify, and examine PDF files

pkgs.perl540Packages.PDFAPI2.aarch64-darwin

Create, modify, and examine PDF files

pkgs.perl540Packages.PPIxUtils.x86_64-linux

Utility functions for PPI

pkgs.perl540Packages.PPIxRegexp.x86_64-linux

Parse regular expressions

pkgs.perl540Packages.PPIxUtils.aarch64-linux

Utility functions for PPI

pkgs.perl540Packages.PPIxUtils.x86_64-darwin

Utility functions for PPI

pkgs.perl538Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

pkgs.perl540Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

pkgs.perl540Packages.PPIxRegexp.aarch64-linux

Parse regular expressions

pkgs.perl540Packages.PPIxRegexp.x86_64-darwin

Parse regular expressions

pkgs.perl540Packages.PPIxUtils.aarch64-darwin

Utility functions for PPI

pkgs.perl540Packages.ProcPIDFile.x86_64-linux

Manage process id files

pkgs.perl540Packages.PPIxRegexp.aarch64-darwin

Parse regular expressions

pkgs.perl540Packages.ProcPIDFile.aarch64-linux

Manage process id files

pkgs.perl540Packages.ProcPIDFile.x86_64-darwin

Manage process id files

pkgs.perl540Packages.WWWTwilioAPI.x86_64-linux

Accessing Twilio's REST API with Perl

pkgs.perl540Packages.OpenAPIClient.x86_64-linux

Client for talking to an Open API powered server

pkgs.perl540Packages.PPIxQuoteLike.x86_64-linux

Parse Perl string literals and string-literal-like things

pkgs.perl540Packages.PPIxUtilities.x86_64-linux

Extensions to PPI|PPI

pkgs.perl540Packages.ProcPIDFile.aarch64-darwin

Manage process id files

pkgs.perl540Packages.WWWTwilioAPI.aarch64-linux

Accessing Twilio's REST API with Perl

pkgs.perl540Packages.WWWTwilioAPI.x86_64-darwin

Accessing Twilio's REST API with Perl

pkgs.perl540Packages.OpenAPIClient.aarch64-linux

Client for talking to an Open API powered server

pkgs.perl540Packages.OpenAPIClient.x86_64-darwin

Client for talking to an Open API powered server

pkgs.perl540Packages.PPIxQuoteLike.aarch64-linux

Parse Perl string literals and string-literal-like things

pkgs.perl540Packages.PPIxQuoteLike.x86_64-darwin

Parse Perl string literals and string-literal-like things

pkgs.perl540Packages.PPIxUtilities.aarch64-linux

Extensions to PPI|PPI

pkgs.perl540Packages.PPIxUtilities.x86_64-darwin

Extensions to PPI|PPI

pkgs.perl540Packages.WWWTwilioAPI.aarch64-darwin

Accessing Twilio's REST API with Perl

pkgs.perl540Packages.OpenAPIClient.aarch64-darwin

Client for talking to an Open API powered server

pkgs.perl540Packages.PPIxQuoteLike.aarch64-darwin

Parse Perl string literals and string-literal-like things

pkgs.perl540Packages.PPIxUtilities.aarch64-darwin

Extensions to PPI|PPI

pkgs.perl540Packages.MojoliciousPluginOpenAPI.x86_64-linux

OpenAPI / Swagger plugin for Mojolicious

pkgs.perl540Packages.MojoliciousPluginOpenAPI.aarch64-linux

OpenAPI / Swagger plugin for Mojolicious

pkgs.perl540Packages.MojoliciousPluginOpenAPI.x86_64-darwin

OpenAPI / Swagger plugin for Mojolicious

pkgs.perl540Packages.MojoliciousPluginOpenAPI.aarch64-darwin

OpenAPI / Swagger plugin for Mojolicious