Nixpkgs security tracker
7.7 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): NONE
- Availability impact (A): NONE
Plane Vulnerable to Full Read SSRF via Favicon Fetching in "Add Link" Feature
Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery (SSRF) vulnerability has been identified in the "Add Link" feature. This flaw allows an authenticated attacker with general user privileges to send arbitrary GET requests to the internal network and exfiltrate the full response body. By exploiting this vulnerability, an attacker can steal sensitive data from internal services and cloud metadata endpoints. Version 1.2.2 fixes the issue.
References
-
https://github.com/makeplane/plane/security/advisories/GHSA-jcc6-f9v6-f7jw x_refsource_CONFIRM
-
https://github.com/makeplane/plane/releases/tag/v1.2.2 x_refsource_MISC
Affected products
- ==< 1.2.2
Matching in nixpkgs
pkgs.xplanet
Renders an image of the earth or other planets into the X root window
pkgs.freeplane
Mind-mapping software
pkgs.m2-planet
PLAtform NEutral Transpiler
pkgs.crossplane
NGINX configuration file parser and builder
pkgs.microplane
CLI tool to make git changes across many repos
pkgs.paper-plane
Chat over Telegram on a modern and elegant client
-
nixos-unstable 0.1.0-beta.5
- nixpkgs-unstable 0.1.0-beta.5
- nixos-unstable-small 0.1.0-beta.5
-
nixos-25.11 0.1.0-beta.5
- nixos-25.11-small 0.1.0-beta.5
- nixpkgs-25.11-darwin 0.1.0-beta.5
pkgs.invoiceplane
Self-hosted open source application for managing your invoices, clients and payments
pkgs.m2-mesoplanet
Macro Expander Saving Our m2-PLANET
pkgs.crossplane-cli
Utility to make using Crossplane easier
pkgs.biplanes-revival
Old cellphone arcade recreated for PC
pkgs.planetary_annihilation
Next-generation RTS that takes the genre to a planetary scale
pkgs.perlPackages.MathPlanePath
Points on a path through the 2-D plane
pkgs.perl5Packages.MathPlanePath
Points on a path through the 2-D plane
pkgs.dprint-plugins.g-plane-malva
CSS, SCSS, Sass and Less formatter.
pkgs.python312Packages.crossplane
NGINX configuration file parser and builder
pkgs.python313Packages.crossplane
NGINX configuration file parser and builder
pkgs.python314Packages.crossplane
NGINX configuration file parser and builder
pkgs.perl538Packages.MathPlanePath
Points on a path through the 2-D plane
pkgs.perl540Packages.MathPlanePath
Points on a path through the 2-D plane
pkgs.dprint-plugins.g-plane-markup_fmt
HTML, Vue, Svelte, Astro, Angular, Jinja, Twig, Nunjucks, and Vento formatter.
pkgs.dprint-plugins.g-plane-pretty_yaml
YAML formatter.
pkgs.gnomeExtensions.sane-airplane-mode
Make airplane mode sane again! This extension gives you better control over the airplane mode and lets you turn off the annoying "Bluetooth gets turned on when I disable airplane mode" behaviour.
pkgs.python313Packages.envoy-data-plane
Python dataclasses for the Envoy Data-Plane-API
pkgs.python314Packages.envoy-data-plane
Python dataclasses for the Envoy Data-Plane-API
pkgs.python312Packages.planetary-computer
Planetary Computer SDK for Python
-
nixos-25.11 1.0.0.post0
- nixos-25.11-small 1.0.0.post0
- nixpkgs-25.11-darwin 1.0.0.post0
pkgs.python313Packages.planetary-computer
Planetary Computer SDK for Python
-
nixos-unstable 1.0.0.post0
- nixpkgs-unstable 1.0.0.post0
- nixos-unstable-small 1.0.0.post0
-
nixos-25.11 1.0.0.post0
- nixos-25.11-small 1.0.0.post0
- nixpkgs-25.11-darwin 1.0.0.post0
pkgs.python314Packages.planetary-computer
Planetary Computer SDK for Python
-
nixos-unstable 1.0.0.post0
- nixpkgs-unstable 1.0.0.post0
- nixos-unstable-small 1.0.0.post0
pkgs.dprint-plugins.g-plane-pretty_graphql
GraphQL formatter.
pkgs.haskellPackages.amazonka-iot-dataplane
Amazon IoT Data Plane SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
-
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16
pkgs.haskellPackages.amazonka-iot-jobs-dataplane
Amazon IoT Jobs Data Plane SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
-
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16
pkgs.vscode-extensions.gplane.wasm-language-tools
Language support of WebAssembly
pkgs.haskellPackages.amazonka-mediastore-dataplane
Amazon Elemental MediaStore Data Plane SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
-
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16
Package maintainers
-
@KAction Dmitry Bogatov <KAction@disroot.org>
-
@selfuryon Sergei Iakovlev <siakovlev@pm.me>
-
@phanirithvij Phani Rithvij <phanirithvij2000@gmail.com>
-
@charles-dyfis-net Charles Duffy <charles@dyfis.net>
-
@honnip Jung seungwoo <me@honnip.page>
-
@onny Jonas Heinrich <onny@project-insanity.org>
-
@Ericson2314 John Ericson <John.Ericson@Obsidian.Systems>
-
@siraben Siraphob Phipathananunth <bensiraphob@gmail.com>
-
@alejandrosame Alejandro Sánchez Medina <alejandrosanchzmedina@gmail.com>
-
@emilytrau Emily Trau <emily+nix@downunderctf.com>
-
@06kellyjac Jack <hello+nixpkgs@j-k.io>
-
@Artturin Artturi N <artturin@artturin.com>
-
@dbirks David Birks <david@birks.dev>
-
@Aleksanaa Aleksana QwQ <me@aleksana.moe>
-
@domenkozar Domen Kozar <domen@dev.si>
-
@daspk04 Pratyush Das <dpratyush.k@gmail.com>
-
@Lassulus Lassulus <lassulus@gmail.com>
-
@svanderburg Sander van der Burg <s.vanderburg@tudelft.nl>
-
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>
-
@samestep Sam Estep <sam@samestep.com>