Nixpkgs security tracker

Untriaged

Permalink CVE-2026-33529

3.3 LOW

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 3 weeks, 2 days ago

Zoraxy: Authenticated Path Traversal in Config Import leads to RCE

Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.

References

https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9 x_refsource_CONFIRM
https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b x_refsource_MISC
https://github.com/tobychui/zoraxy/releases/tag/v3.3.2 x_refsource_MISC

Affected products

zoraxy

==< 3.3.2

Matching in nixpkgs

pkgs.zoraxy

General purpose HTTP reverse proxy and forwarding tool written in Go

nixos-unstable 3.2.5r2
- nixpkgs-unstable 3.2.5r2
- nixos-unstable-small 3.3.1
nixos-25.11 3.2.5r2
- nixos-25.11-small 3.2.5r2
- nixpkgs-25.11-darwin 3.2.5r2

Package maintainers

@luftmensch-luftmensch Valentino Bocchetti <valentinobocchetti59@gmail.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.zoraxy

Package maintainers