Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2023-50781
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 10 months, 1 week ago
M2crypto: bleichenbacher timing attacks in the rsa decryption api - incomplete fix for cve-2020-25657

A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Affected products

pywbem
m2crypto
virt-who

Matching in nixpkgs

pkgs.python311Packages.pywbem

Support for the WBEM standard for systems management

pkgs.python312Packages.pywbem

Support for the WBEM standard for systems management

pkgs.python312Packages.pywbem.x86_64-linux

Support for the WBEM standard for systems management

pkgs.python312Packages.pywbem.aarch64-linux

Support for the WBEM standard for systems management

pkgs.python312Packages.pywbem.x86_64-darwin

Support for the WBEM standard for systems management

pkgs.python312Packages.m2crypto.x86_64-linux

Python crypto and SSL toolkit

pkgs.python312Packages.pywbem.aarch64-darwin

Support for the WBEM standard for systems management

pkgs.python312Packages.m2crypto.aarch64-linux

Python crypto and SSL toolkit

pkgs.python312Packages.m2crypto.x86_64-darwin

Python crypto and SSL toolkit

pkgs.python312Packages.m2crypto.aarch64-darwin

Python crypto and SSL toolkit

CVE-2024-31420
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 10 months, 1 week ago
Cnv: dos through repeatedly calling vm-dump-metrics until virt handler crashes

A NULL pointer dereference flaw was found in KubeVirt. This flaw allows an attacker who has access to a virtual machine guest on a node with DownwardMetrics enabled to cause a denial of service by issuing a high number of calls to vm-dump-metrics --virtio and then deleting the virtual machine.

Affected products

cnv
  • ==4.15.0
kubevirt

Matching in nixpkgs

pkgs.kubevirt

Client tool to use advanced features such as console access

pkgs.python311Packages.cnvkit

Python library and command-line software toolkit to infer and visualize copy number from high-throughput DNA sequencing data

pkgs.python312Packages.cnvkit

Python library and command-line software toolkit to infer and visualize copy number from high-throughput DNA sequencing data

Package maintainers: 2

CVE-2024-3094
10.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 10 months, 1 week ago
Xz: malicious code in distributed source

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Affected products

xz
  • ==5.6.0
  • ==5.6.1

Matching in nixpkgs

pkgs.xz

General-purpose data compression software, successor of LZMA

pkgs.pxz

compression utility that runs LZMA compression of different parts on multiple cores simultaneously

pkgs.pixz

Parallel compressor/decompressor for xz format

pkgs.xzgv

Picture viewer for X with a thumbnail-based selector

pkgs.xzoom

X11 screen zoom tool

pkgs.python311Packages.txzmq

Twisted bindings for ZeroMQ

pkgs.python312Packages.txzmq

Twisted bindings for ZeroMQ

pkgs.python311Packages.python-xz

Pure Python library for seeking within compressed xz files

pkgs.python312Packages.python-xz

Pure Python library for seeking within compressed xz files

pkgs.python312Packages.txzmq.x86_64-linux

Twisted bindings for ZeroMQ

pkgs.python312Packages.txzmq.aarch64-linux

Twisted bindings for ZeroMQ

pkgs.python312Packages.txzmq.x86_64-darwin

Twisted bindings for ZeroMQ

pkgs.python312Packages.txzmq.aarch64-darwin

Twisted bindings for ZeroMQ

pkgs.python312Packages.python-xz.x86_64-linux

Pure Python library for seeking within compressed xz files

pkgs.python312Packages.python-xz.aarch64-linux

Pure Python library for seeking within compressed xz files

pkgs.python312Packages.python-xz.x86_64-darwin

Pure Python library for seeking within compressed xz files

pkgs.python312Packages.python-xz.aarch64-darwin

Pure Python library for seeking within compressed xz files

Package maintainers: 6

CVE-2023-3758
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): ADJACENT_NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 10 months, 1 week ago
Sssd: race condition during authorization leads to gpo policies functioning inconsistently

A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.

Affected products

sssd
  • *
  • <2.9.5

Matching in nixpkgs

pkgs.sssd

System Security Services Daemon

Package maintainers: 1

CVE-2022-2084
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 10 months, 1 week ago
sensitive data exposure in cloud-init logs

Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.

Affected products

cloud-init
  • <23.0

Matching in nixpkgs

pkgs.cloud-init

Provides configuration and customization of cloud instance

Package maintainers: 2

CVE-2023-30797
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 10 months, 1 week ago
Insecure Random Generation in Netflix Lemur

Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.

Affected products

lemur
  • <<1.3.2

Matching in nixpkgs

pkgs.lemurs

Customizable TUI display/login manager written in Rust

Package maintainers: 1

CVE-2021-3429
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 10 months, 1 week ago
sensitive data exposure in cloud-init logs

When instructing cloud-init to set a random password for a new user account, versions before 21.2 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user.

Affected products

cloud-init
  • <21.2

Matching in nixpkgs

pkgs.cloud-init

Provides configuration and customization of cloud instance

Package maintainers: 2

CVE-2023-30798
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 10 months, 1 week ago
MultipartParser DOS with too many fields or files in Starlette Framework

There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.

Affected products

starlette
  • <0.25.0

Matching in nixpkgs

pkgs.python311Packages.starlette

Little ASGI framework that shines

pkgs.python312Packages.starlette

Little ASGI framework that shines

pkgs.python311Packages.sse-starlette

Server Sent Events for Starlette and FastAPI

pkgs.python311Packages.starlette-wtf

Simple tool for integrating Starlette and WTForms

pkgs.python312Packages.sse-starlette

Server Sent Events for Starlette and FastAPI

pkgs.python312Packages.starlette-wtf

Simple tool for integrating Starlette and WTForms

pkgs.python311Packages.starlette-admin

Fast, beautiful and extensible administrative interface framework for Starlette & FastApi applications

pkgs.python312Packages.starlette-admin

Fast, beautiful and extensible administrative interface framework for Starlette & FastApi applications

pkgs.python311Packages.starlette-context

Middleware for Starlette that allows you to store and access the context data of a request

pkgs.python312Packages.starlette-context

Middleware for Starlette that allows you to store and access the context data of a request

pkgs.python312Packages.starlette.x86_64-linux

Little ASGI framework that shines

pkgs.python312Packages.starlette.aarch64-linux

Little ASGI framework that shines

pkgs.python312Packages.starlette.x86_64-darwin

Little ASGI framework that shines

pkgs.python312Packages.starlette.aarch64-darwin

Little ASGI framework that shines

pkgs.python312Packages.sse-starlette.x86_64-linux

Server Sent Events for Starlette and FastAPI

pkgs.python312Packages.starlette-wtf.x86_64-linux

Simple tool for integrating Starlette and WTForms

pkgs.python312Packages.sse-starlette.aarch64-linux

Server Sent Events for Starlette and FastAPI

pkgs.python312Packages.sse-starlette.x86_64-darwin

Server Sent Events for Starlette and FastAPI

pkgs.python312Packages.starlette-wtf.aarch64-linux

Simple tool for integrating Starlette and WTForms

pkgs.python312Packages.starlette-wtf.x86_64-darwin

Simple tool for integrating Starlette and WTForms

pkgs.python312Packages.sse-starlette.aarch64-darwin

Server Sent Events for Starlette and FastAPI

pkgs.python312Packages.starlette-admin.x86_64-linux

Fast, beautiful and extensible administrative interface framework for Starlette & FastApi applications

pkgs.python312Packages.starlette-wtf.aarch64-darwin

Simple tool for integrating Starlette and WTForms

pkgs.python312Packages.starlette-admin.aarch64-linux

Fast, beautiful and extensible administrative interface framework for Starlette & FastApi applications

pkgs.python312Packages.starlette-admin.x86_64-darwin

Fast, beautiful and extensible administrative interface framework for Starlette & FastApi applications

pkgs.python312Packages.starlette-admin.aarch64-darwin

Fast, beautiful and extensible administrative interface framework for Starlette & FastApi applications

pkgs.python312Packages.starlette-context.x86_64-linux

Middleware for Starlette that allows you to store and access the context data of a request

pkgs.python312Packages.starlette-context.aarch64-linux

Middleware for Starlette that allows you to store and access the context data of a request

pkgs.python312Packages.starlette-context.x86_64-darwin

Middleware for Starlette that allows you to store and access the context data of a request

pkgs.python312Packages.starlette-context.aarch64-darwin

Middleware for Starlette that allows you to store and access the context data of a request

Package maintainers: 7

CVE-2025-22696
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 10 months, 1 week ago
WordPress Document Block – Upload & Embed Docs, PDF, PPT, XLS or Any Documents plugin <= 1.1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in EmbedPress Document Block – Upload & Embed Docs. This issue affects Document Block – Upload & Embed Docs: from n/a through 1.1.0.

Affected products

document
  • =<1.1.0

Matching in nixpkgs

pkgs.phpdocumentor

PHP documentation generator

pkgs.documentation-highlighter

Highlight.js sources for the Nix Ecosystem's documentation

  • nixos-unstable ???
    • nixos-unstable-small
    • nixpkgs-unstable

pkgs.onlyoffice-documentserver

ONLYOFFICE Document Server is an online office suite comprising viewers and editors

pkgs.phpdocumentor.x86_64-linux

PHP documentation generator

pkgs.phpdocumentor.aarch64-linux

PHP documentation generator

pkgs.phpdocumentor.x86_64-darwin

PHP documentation generator

pkgs.libsForQt5.mauikit-documents

MauiKit QtQuick plugins for text editing

pkgs.phpdocumentor.aarch64-darwin

PHP documentation generator

pkgs.kdePackages.libkeduvocdocument

Library to parse, convert, and manipulate KVTML files

pkgs.python311Packages.pydocumentdb

Azure Cosmos DB API

pkgs.python312Packages.pydocumentdb

Azure Cosmos DB API

pkgs.cudaPackages.cuda_documentation

CUDA Documentation. By downloading and using the packages you accept the terms and conditions of the CUDA EULA

pkgs.plasma5Packages.mauikit-documents

MauiKit QtQuick plugins for text editing

pkgs.cudaPackages_11.cuda_documentation

CUDA Documentation. By downloading and using the packages you accept the terms and conditions of the CUDA EULA

pkgs.python311Packages.netbox-documents

Plugin designed to faciliate the storage of site, circuit, device type and device specific documents within NetBox

pkgs.python312Packages.netbox-documents

Plugin designed to faciliate the storage of site, circuit, device type and device specific documents within NetBox

pkgs.tests.haskell.documentationTarball

  • nixos-unstable ???
    • nixos-unstable-small
    • nixpkgs-unstable

pkgs.haskellPackages.pdf-toolbox-document

A collection of tools for processing PDF files

pkgs.python311Packages.tableaudocumentapi

Python module for working with Tableau files

pkgs.python312Packages.tableaudocumentapi

Python module for working with Tableau files

pkgs.python311Packages.azure-search-documents

Microsoft Azure Cognitive Search Client Library for Python

pkgs.python312Packages.azure-search-documents

Microsoft Azure Cognitive Search Client Library for Python

pkgs.libsForQt5.mauikit-documents.x86_64-linux

MauiKit QtQuick plugins for text editing

pkgs.libsForQt5.mauikit-documents.aarch64-linux

MauiKit QtQuick plugins for text editing

pkgs.python312Packages.pydocumentdb.x86_64-linux

Azure Cosmos DB API

pkgs.python312Packages.pydocumentdb.aarch64-linux

Azure Cosmos DB API

pkgs.python312Packages.pydocumentdb.x86_64-darwin

Azure Cosmos DB API

pkgs.python312Packages.pydocumentdb.aarch64-darwin

Azure Cosmos DB API

pkgs.sbclPackages.documentation-utils.x86_64-linux

pkgs.plasma5Packages.mauikit-documents.x86_64-linux

MauiKit QtQuick plugins for text editing

pkgs.sbclPackages.documentation-utils.aarch64-linux

pkgs.sbclPackages.documentation-utils.x86_64-darwin

pkgs.plasma5Packages.mauikit-documents.aarch64-linux

MauiKit QtQuick plugins for text editing

pkgs.python312Packages.netbox-documents.x86_64-linux

Plugin designed to faciliate the storage of site, circuit, device type and device specific documents within NetBox

pkgs.sbclPackages.documentation-utils.aarch64-darwin

pkgs.python312Packages.netbox-documents.aarch64-linux

Plugin designed to faciliate the storage of site, circuit, device type and device specific documents within NetBox

pkgs.python312Packages.netbox-documents.x86_64-darwin

Plugin designed to faciliate the storage of site, circuit, device type and device specific documents within NetBox

pkgs.python312Packages.netbox-documents.aarch64-darwin

Plugin designed to faciliate the storage of site, circuit, device type and device specific documents within NetBox

pkgs.python312Packages.tableaudocumentapi.x86_64-linux

Python module for working with Tableau files

pkgs.python312Packages.tableaudocumentapi.aarch64-linux

Python module for working with Tableau files

pkgs.python312Packages.tableaudocumentapi.x86_64-darwin

Python module for working with Tableau files

pkgs.python312Packages.tableaudocumentapi.aarch64-darwin

Python module for working with Tableau files

CVE-2025-24684
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 10 months, 2 weeks ago
WordPress Media Downloader Plugin <= 0.4.7.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ederson Peka Media Downloader allows Reflected XSS. This issue affects Media Downloader: from n/a through 0.4.7.5.

Affected products

media-downloader
  • =<0.4.7.5

Matching in nixpkgs

pkgs.media-downloader

Qt/C++ GUI front end for yt-dlp and others

Package maintainers: 2