Nixpkgs security tracker

Untriaged

Permalink CVE-2026-40924

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

created 1 day, 4 hours ago Activity log

Created suggestion 1 day, 4 hours ago

Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response body within the 1-minute timeout window, causing the tekton-pipelines-resolvers pod to be OOM-killed by Kubernetes. Because all resolver types (Git, Hub, Bundle, Cluster, HTTP) run in the same pod, crashing this pod denies resolution service to the entire cluster. Repeated exploitation causes a sustained crash loop. The same vulnerable code path is reached by both the deprecated pkg/resolution/resolver/http and the current pkg/remoteresolution/resolver/http implementations. This vulnerability is fixed in 1.11.1.

References

https://github.com/tektoncd/pipeline/security/advisories/GHSA-m2cx-gpqf-qf74 x_refsource_CONFIRM
https://github.com/tektoncd/pipeline/releases/tag/v1.11.1 x_refsource_MISC

Affected products

pipeline

==< 1.11.1

Matching in nixpkgs

pkgs.pipeline

Watch YouTube and PeerTube videos in one place

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1
nixos-25.11 3.1.1
- nixos-25.11-small 3.1.1
- nixpkgs-25.11-darwin 3.1.1

pkgs.libpipeline

C library for manipulating pipelines of subprocesses in a flexible and convenient way

nixos-unstable 1.5.8
- nixpkgs-unstable 1.5.8
- nixos-unstable-small 1.5.8
nixos-25.11 1.5.8
- nixos-25.11-small 1.5.8
- nixpkgs-25.11-darwin 1.5.8

pkgs.haskellPackages.pipeline

Continuation patterns

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.rubyPackages.html-pipeline

None

nixos-unstable 2.14.3
- nixpkgs-unstable 2.14.3
- nixos-unstable-small 2.14.3
nixos-25.11 2.14.3
- nixos-25.11-small 2.14.3
- nixpkgs-25.11-darwin 2.14.3

pkgs.woodpecker-pipeline-transform

Utility to convert different pipelines to Woodpecker CI pipelines

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0
nixos-25.11 0.2.0
- nixos-25.11-small 0.2.0
- nixpkgs-25.11-darwin 0.2.0

pkgs.rubyPackages_3_3.html-pipeline

None

nixos-unstable 2.14.3
- nixpkgs-unstable 2.14.3
- nixos-unstable-small 2.14.3
nixos-25.11 2.14.3
- nixos-25.11-small 2.14.3
- nixpkgs-25.11-darwin 2.14.3

pkgs.rubyPackages_3_4.html-pipeline

None

nixos-unstable 2.14.3
- nixpkgs-unstable 2.14.3
- nixos-unstable-small 2.14.3
nixos-25.11 2.14.3
- nixos-25.11-small 2.14.3
- nixpkgs-25.11-darwin 2.14.3

pkgs.rubyPackages_4_0.html-pipeline

None

nixos-unstable 2.14.3
- nixpkgs-unstable 2.14.3
- nixos-unstable-small 2.14.3
nixos-25.11 2.14.3
- nixos-25.11-small 2.14.3
- nixpkgs-25.11-darwin 2.14.3

pkgs.python312Packages.pyannote-pipeline

Tunable pipelines

nixos-25.11 4.0.0
- nixos-25.11-small 4.0.0
- nixpkgs-25.11-darwin 4.0.0

pkgs.python313Packages.pyannote-pipeline

Tunable pipelines

nixos-unstable 4.0.0
- nixpkgs-unstable 4.0.0
- nixos-unstable-small 4.0.0
nixos-25.11 4.0.0
- nixos-25.11-small 4.0.0
- nixpkgs-25.11-darwin 4.0.0

pkgs.python314Packages.pyannote-pipeline

Tunable pipelines

nixos-unstable 4.0.0
- nixpkgs-unstable 4.0.0
- nixos-unstable-small 4.0.0

pkgs.haskellPackages.amazonka-codepipeline

Amazon CodePipeline SDK

nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16

pkgs.haskellPackages.amazonka-datapipeline

Amazon Data Pipeline SDK

nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16

pkgs.prometheus-gitlab-ci-pipelines-exporter

Prometheus / OpenMetrics exporter for GitLab CI pipelines insights

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0
nixos-25.11 0.5.10
- nixos-25.11-small 0.5.10
- nixpkgs-25.11-darwin 0.5.10

pkgs.python312Packages.mypy-boto3-codepipeline

Type annotations for boto3 codepipeline

nixos-25.11 boto3-codepipeline-1.41.0
- nixos-25.11-small boto3-codepipeline-1.41.0
- nixpkgs-25.11-darwin boto3-codepipeline-1.41.0

pkgs.python312Packages.mypy-boto3-datapipeline

Type annotations for boto3 datapipeline

nixos-25.11 boto3-datapipeline-1.41.0
- nixos-25.11-small boto3-datapipeline-1.41.0
- nixpkgs-25.11-darwin boto3-datapipeline-1.41.0

pkgs.python312Packages.pysigma-pipeline-sysmon

Library to support Sysmon pipeline for pySigma

nixos-25.11 1.0.4
- nixos-25.11-small 1.0.4
- nixpkgs-25.11-darwin 1.0.4

pkgs.python313Packages.mypy-boto3-codepipeline

Type annotations for boto3 codepipeline

nixos-unstable boto3-codepipeline-1.42.3
- nixpkgs-unstable boto3-codepipeline-1.42.3
- nixos-unstable-small boto3-codepipeline-1.42.3
nixos-25.11 boto3-codepipeline-1.41.0
- nixos-25.11-small boto3-codepipeline-1.41.0
- nixpkgs-25.11-darwin boto3-codepipeline-1.41.0

pkgs.python313Packages.mypy-boto3-datapipeline

Type annotations for boto3 datapipeline

nixos-unstable boto3-datapipeline-1.42.3
- nixpkgs-unstable boto3-datapipeline-1.42.3
- nixos-unstable-small boto3-datapipeline-1.42.3
nixos-25.11 boto3-datapipeline-1.41.0
- nixos-25.11-small boto3-datapipeline-1.41.0
- nixpkgs-25.11-darwin boto3-datapipeline-1.41.0

pkgs.python313Packages.pysigma-pipeline-sysmon

Library to support Sysmon pipeline for pySigma

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 1.0.4
- nixos-25.11-small 1.0.4
- nixpkgs-25.11-darwin 1.0.4

pkgs.python314Packages.mypy-boto3-codepipeline

Type annotations for boto3 codepipeline

nixos-unstable boto3-codepipeline-1.42.3
- nixpkgs-unstable boto3-codepipeline-1.42.3
- nixos-unstable-small boto3-codepipeline-1.42.3

pkgs.python314Packages.mypy-boto3-datapipeline

Type annotations for boto3 datapipeline

nixos-unstable boto3-datapipeline-1.42.3
- nixpkgs-unstable boto3-datapipeline-1.42.3
- nixos-unstable-small boto3-datapipeline-1.42.3

pkgs.python314Packages.pysigma-pipeline-sysmon

Library to support Sysmon pipeline for pySigma

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.pkgsRocm.python3Packages.pyannote-pipeline

Tunable pipelines

nixos-unstable 4.0.0
- nixpkgs-unstable 4.0.0
- nixos-unstable-small 4.0.0
nixos-25.11 4.0.0
- nixos-25.11-small 4.0.0
- nixpkgs-25.11-darwin 4.0.0

pkgs.python312Packages.pysigma-pipeline-windows

Library to support Windows service pipeline for pySigma

nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.python313Packages.pysigma-pipeline-windows

Library to support Windows service pipeline for pySigma

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.python314Packages.pysigma-pipeline-windows

Library to support Windows service pipeline for pySigma

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.azure-cli-extensions.monitor-pipeline-group

Microsoft Azure Command-Line Tools MonitorPipelineGroup Extension

nixos-unstable 1.0.0b2
- nixpkgs-unstable 1.0.0b2
- nixos-unstable-small 1.0.0b2
nixos-25.11 1.0.0b2
- nixos-25.11-small 1.0.0b2
- nixpkgs-25.11-darwin 1.0.0b2