Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-33747

8.4 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 3 weeks, 1 day ago

BuildKit vulnerable to malicious frontend causing file escape outside of storage root

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.

References

https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj x_refsource_CONFIRM
https://github.com/moby/buildkit/releases/tag/v0.28.1 x_refsource_MISC

Affected products

buildkit

==< 0.28.1

Matching in nixpkgs

pkgs.buildkit

Concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit

nixos-unstable 0.28.0
- nixpkgs-unstable 0.28.0
- nixos-unstable-small 0.28.0
nixos-25.11 0.25.2
- nixos-25.11-small 0.25.2
- nixpkgs-25.11-darwin 0.25.2

pkgs.buildkit-nix

Nix frontend for BuildKit

nixos-unstable 0.1.1
- nixpkgs-unstable 0.1.1
- nixos-unstable-small 0.1.1
nixos-25.11 0.1.1
- nixos-25.11-small 0.1.1
- nixpkgs-25.11-darwin 0.1.1

pkgs.buildkite-cli

Command line interface for Buildkite

nixos-unstable 3.32.2
- nixpkgs-unstable 3.32.2
- nixos-unstable-small 3.32.2
nixos-25.11 3.13.0
- nixos-25.11-small 3.13.0
- nixpkgs-25.11-darwin 3.13.0

pkgs.buildkite-agent

Build runner for buildkite.com

nixos-unstable 3.89.0
- nixpkgs-unstable 3.89.0
- nixos-unstable-small 3.89.0
nixos-25.11 3.89.0
- nixos-25.11-small 3.89.0
- nixpkgs-25.11-darwin 3.89.0

pkgs.buildkite-agent-metrics

Command-line tool (and Lambda) for collecting Buildkite agent metrics

nixos-unstable 5.10.0
- nixpkgs-unstable 5.10.0
- nixos-unstable-small 5.10.0
nixos-25.11 5.10.0
- nixos-25.11-small 5.10.0
- nixpkgs-25.11-darwin 5.10.0

pkgs.buildkite-test-collector-rust

Rust adapter for Buildkite Test Analytics

nixos-unstable 0.1.3
- nixpkgs-unstable 0.1.3
- nixos-unstable-small 0.1.3
nixos-25.11 0.1.3
- nixos-25.11-small 0.1.3
- nixpkgs-25.11-darwin 0.1.3

pkgs.terraform-providers.buildkite

None

nixos-unstable 1.31.2
- nixpkgs-unstable 1.31.2
- nixos-unstable-small 1.31.2
nixos-25.11 1.26.0
- nixos-25.11-small 1.26.0
- nixpkgs-25.11-darwin 1.26.0

pkgs.terraform-providers.buildkite_buildkite

None

nixos-unstable 1.31.2
- nixpkgs-unstable 1.31.2
- nixos-unstable-small 1.31.2
nixos-25.11 1.26.0
- nixos-25.11-small 1.26.0
- nixpkgs-25.11-darwin 1.26.0

Package maintainers

@vdemeester Vincent Demeester <vincent@sbr.pm>
@developer-guy Batuhan Apaydın <developerguyn@gmail.com>
@LeSuisse Thomas Gerbet <thomas@gerbet.me>
@techknowlogick techknowlogick <techknowlogick@gitea.com>
@jsoo1 John Soo <jsoo1@asu.edu>
@mostlyobvious Paweł Pacana <pawel.pacana@gmail.com>
@zimbatm zimbatm <zimbatm@zimbatm.com>
@cole-h Cole Helbling <cole.e.helbling@outlook.com>
@grahamc Graham Christensen <graham@grahamc.com>
@groodt Greg Roodt <groodt@gmail.com>
@jfroche Jean-François Roche <jfroche@pyxel.be>