Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2025-32912
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 8 months ago
Libsoup: null pointer dereference in client when server omits the "nonce" parameter in an unauthorized response with digest authentication

A flaw was found in libsoup, where SoupAuthDigest is vulnerable to a NULL pointer dereference. The HTTP server may cause the libsoup client to crash.

Affected products

libsoup
  • <3.6.5
libsoup3
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

pkgs.libsoup_2_4

HTTP client/server library for GNOME

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

Package maintainers: 6

CVE-2025-32910
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 8 months ago
Libsoup: null pointer deference on libsoup via /auth/soup-auth-digest.c through "soup_auth_digest_authenticate" on client when server omits the "realm" parameter in an unauthorized response with digest authentication

A flaw was found in libsoup, where soup_auth_digest_authenticate() is vulnerable to a NULL pointer dereference. This issue may cause the libsoup client to crash.

Affected products

libsoup
  • <3.6.3
libsoup3
mingw-freetype
  • *
spice-client-win
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

pkgs.libsoup_2_4

HTTP client/server library for GNOME

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

Package maintainers: 6

CVE-2025-32913
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 8 months ago
Libsoup: null pointer dereference in soup_message_headers_get_content_disposition when "filename" parameter is present, but has no value in content-disposition header

A flaw was found in libsoup, where the soup_message_headers_get_content_disposition() function is vulnerable to a NULL pointer dereference. This flaw allows a malicious HTTP peer to crash a libsoup client or server that uses this function.

Affected products

libsoup
  • *
  • <3.6.2
libsoup3
mingw-freetype
  • *
spice-client-win
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

pkgs.libsoup_2_4

HTTP client/server library for GNOME

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

Package maintainers: 6

CVE-2025-2814
4.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 8 months, 1 week ago
Crypt::CBC versions between 1.21 and 3.04 for Perl may use insecure rand() function for cryptographic functions

Crypt::CBC versions between 1.21 and 3.04 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable.  In that case, Crypt::CBC will fallback to use the insecure rand() function.

Affected products

Crypt-CBC
  • =<3.04
  • =<3.05

Matching in nixpkgs

pkgs.perl538Packages.CryptCBC

Encrypt Data with Cipher Block Chaining Mode

pkgs.perl540Packages.CryptCBC

Encrypt Data with Cipher Block Chaining Mode

CVE-2025-32618
8.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 8 months, 1 week ago
WordPress Wishlist plugin <= 1.0.43 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PickPlugins Wishlist allows SQL Injection. This issue affects Wishlist: from n/a through 1.0.43.

Affected products

wishlist
  • =<1.0.43

Matching in nixpkgs

pkgs.wishlist

Single entrypoint for multiple SSH endpoints

Package maintainers: 2

CVE-2025-32589
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 8 months, 1 week ago
WordPress Flexi – Guest Submit Plugin <= 4.28 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in odude Flexi – Guest Submit allows PHP Local File Inclusion. This issue affects Flexi – Guest Submit: from n/a through 4.28.

Affected products

flexi
  • =<4.28

Matching in nixpkgs

pkgs.python311Packages.pyflexit

Python library for Flexit A/C units

pkgs.python312Packages.pyflexit

Python library for Flexit A/C units

pkgs.python311Packages.flexit-bacnet

Client BACnet library for Flexit Nordic series of air handling units

pkgs.python312Packages.flexit-bacnet

Client BACnet library for Flexit Nordic series of air handling units

pkgs.haskellPackages.flexible-defaults

Generate default function implementations for complex type classes

pkgs.haskellPackages.flexible-numeric-parsers

Flexible numeric parsers for real-world programming languages

pkgs.home-assistant-component-tests.flexit_bacnet

Open source home automation that puts local control and privacy first

pkgs.python311Packages.azure-mgmt-mysqlflexibleservers

Microsoft Azure Mysqlflexibleservers Management Client Library for Python

pkgs.python312Packages.azure-mgmt-mysqlflexibleservers

Microsoft Azure Mysqlflexibleservers Management Client Library for Python

pkgs.python311Packages.azure-mgmt-postgresqlflexibleservers

Microsoft Azure Postgresqlflexibleservers Management Client Library for Python

pkgs.python312Packages.azure-mgmt-postgresqlflexibleservers

Microsoft Azure Postgresqlflexibleservers Management Client Library for Python

Package maintainers: 10

CVE-2024-1441
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 8 months, 1 week ago
Libvirt: off-by-one error in udevlistinterfacesbystatus()

An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to perform a denial of service attack by causing the libvirt daemon to crash.

Affected products

libvirt
  • ==9.7.0
  • *
virt:av/libvirt
virt:rhel/libvirt

Matching in nixpkgs

pkgs.libvirt

Toolkit to interact with the virtualization capabilities of recent versions of Linux and other OSes

pkgs.libvirt-glib

Library for working with virtual machines

pkgs.rubyPackages.ruby-libvirt

pkgs.prometheus-libvirt-exporter

Prometheus metrics exporter for libvirt

pkgs.terraform-providers.libvirt

pkgs.rubyPackages_3_1.ruby-libvirt

pkgs.rubyPackages_3_2.ruby-libvirt

pkgs.rubyPackages_3_3.ruby-libvirt

pkgs.rubyPackages_3_4.ruby-libvirt

Package maintainers: 4

CVE-2025-1386
created 8 months, 1 week ago
Query smuggling in ch-go library

When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream.

Affected products

ch-go
  • <0.65.0

Matching in nixpkgs

pkgs.immich-go

Immich client tool for bulk-uploads

Package maintainers: 1

CVE-2024-4418
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 8 months, 1 week ago
Libvirt: stack use-after-free in virnetclientioeventloop()

A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it.

Affected products

libvirt
  • *
  • <10.4.0
virt:rhel
  • *
virt-devel:rhel
  • *
virt:av/libvirt
virt:rhel/libvirt

Matching in nixpkgs

pkgs.libvirt

Toolkit to interact with the virtualization capabilities of recent versions of Linux and other OSes

pkgs.libvirt-glib

Library for working with virtual machines

pkgs.rubyPackages.ruby-libvirt

pkgs.prometheus-libvirt-exporter

Prometheus metrics exporter for libvirt

pkgs.terraform-providers.libvirt

pkgs.rubyPackages_3_1.ruby-libvirt

pkgs.rubyPackages_3_2.ruby-libvirt

pkgs.rubyPackages_3_3.ruby-libvirt

pkgs.rubyPackages_3_4.ruby-libvirt

Package maintainers: 4

CVE-2025-32230
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 8 months, 1 week ago
WordPress Tutor LMS plugin <= 3.4.0 - HTML Injection vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Themeum Tutor LMS. This issue affects Tutor LMS: from n/a through 3.4.0.

Affected products

tutor
  • =<3.4.0

Matching in nixpkgs

pkgs.haskellPackages.timeless-tutorials

Initial project template from stack