Nixpkgs security tracker

Untriaged

Permalink CVE-2025-15602

8.8 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

Snipe-IT < 8.3.7 Mass Assignment Vulnerability Leading to Privilege Escalation

Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance.

References

https://github.com/grokability/snipe-it/releases/tag/v8.3.7 patchrelease-notes
https://snipeitapp.com/ product
https://www.vulncheck.com/advisories/snipe-it-mass-assignment-vulnerability-lea… third-party-advisory

Affected products

Snipe-IT

<8.3.7

Matching in nixpkgs

pkgs.snipe-it

Free open source IT asset/license management system

nixos-unstable 8.3.7
- nixpkgs-unstable 8.4.0
- nixos-unstable-small 8.4.0
nixos-25.11 8.3.6
- nixos-25.11-small 8.3.6
- nixpkgs-25.11-darwin 8.3.6

Package maintainers

@yayayayaka Yaya <github@uwu.is>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.snipe-it

Package maintainers