Nixpkgs security tracker
6.3 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): Low (L)
Activity log
- Created suggestion
Microsoft UFO shared WebSocket handler state causes cross-client response hijacking
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections. The handler stores per-connection protocol objects in mutable instance fields. Each new WebSocket connection overwrites those fields. Later, message handlers send responses through the shared fields instead of through protocol objects bound to the originating connection. As a result, the most recently connected authenticated client can receive protocol responses that belong to another authenticated client.
References
-
https://github.com/microsoft/UFO/security/advisories/GHSA-cwwh-p9rv-4pj4 x_refsource_CONFIRM
Affected products
- ==3.0.1-4-ge2626659
Matching in nixpkgs
pkgs.rufo
Ruby formatter
pkgs.tartufo
Tool to search through git repositories for high entropy strings and secrets
pkgs.ufolint
Linter for Unified Font Object (UFO) source code
pkgs.gohufont
A monospace bitmap font well suited for programming and terminal use
pkgs.nerd-fonts.gohufont
Nerd Fonts: Bitmap font, tall capitals and ascenders, small serifs
pkgs.akkuPackages.ufo-try
try-except to handle potential exception
pkgs.akkuPackages.ufo-match
This package is a dependable match macro library for chez scheme.
pkgs.akkuPackages.ufo-timer
This repository is a timer implementation based on Chez Scheme's thread mechanism.
pkgs.akkuPackages.ufo-socket
I did not edit Akku.manifest
pkgs.python312Packages.ufo2ft
Bridge from UFOs to FontTools objects
-
nixos-25.11 ufo2ft-3.6.2
- nixos-25.11-small ufo2ft-3.6.2
- nixpkgs-25.11-darwin ufo2ft-3.6.2
pkgs.python313Packages.ufo2ft
Bridge from UFOs to FontTools objects
-
nixos-unstable ufo2ft-3.7.0
- nixpkgs-unstable ufo2ft-3.7.0
- nixos-unstable-small ufo2ft-3.7.0
-
nixos-25.11 ufo2ft-3.6.2
- nixos-25.11-small ufo2ft-3.6.2
- nixpkgs-25.11-darwin ufo2ft-3.6.2
pkgs.python314Packages.ufo2ft
Bridge from UFOs to FontTools objects
-
nixos-unstable ufo2ft-3.7.0
- nixpkgs-unstable ufo2ft-3.7.0
- nixos-unstable-small ufo2ft-3.7.0
pkgs.python312Packages.ufolib2
Library to deal with UFO font sources
-
nixos-25.11 ufolib2-0.18.1
- nixos-25.11-small ufolib2-0.18.1
- nixpkgs-25.11-darwin ufolib2-0.18.1
pkgs.python312Packages.ufolint
Linter for Unified Font Object (UFO) source code
pkgs.python313Packages.ufolib2
Library to deal with UFO font sources
-
nixos-unstable ufolib2-0.18.1
- nixpkgs-unstable ufolib2-0.18.1
- nixos-unstable-small ufolib2-0.18.1
-
nixos-25.11 ufolib2-0.18.1
- nixos-25.11-small ufolib2-0.18.1
- nixpkgs-25.11-darwin ufolib2-0.18.1
pkgs.python313Packages.ufolint
Linter for Unified Font Object (UFO) source code
pkgs.python314Packages.ufolib2
Library to deal with UFO font sources
-
nixos-unstable ufolib2-0.18.1
- nixpkgs-unstable ufolib2-0.18.1
- nixos-unstable-small ufolib2-0.18.1
pkgs.python312Packages.ufomerge
Command line utility and Python library that merges two UFO source format fonts into a single file
pkgs.python313Packages.ufomerge
Command line utility and Python library that merges two UFO source format fonts into a single file
pkgs.akkuPackages.ufo-coroutines
This package is a dependable coroutine package for chez scheme.
pkgs.akkuPackages.ufo-thread-pool
This package is a dependable thread pool package for chez scheme.
pkgs.python312Packages.ufoprocessor
Read, write and generate UFOs with designspace data
pkgs.python313Packages.ufoprocessor
Read, write and generate UFOs with designspace data
pkgs.python314Packages.ufoprocessor
Read, write and generate UFOs with designspace data
pkgs.python312Packages.ufonormalizer
Script to normalize the XML and other data inside of a UFO
pkgs.python313Packages.ufo-extractor
Tools for extracting data from font binaries into UFO objects
pkgs.python313Packages.ufonormalizer
Script to normalize the XML and other data inside of a UFO
pkgs.python314Packages.ufonormalizer
Script to normalize the XML and other data inside of a UFO
pkgs.akkuPackages.ufo-threaded-function
This package contains threaded-map, threaded-vector-map and such threaded functions for chez scheme.
pkgs.vscode-extensions.ufo5260987423.magic-scheme
Adds support for Scheme(r6rs standard)
-
nixos-unstable ufo5260987423-magic-scheme-0.0.6
- nixpkgs-unstable ufo5260987423-magic-scheme-0.0.6
- nixos-unstable-small ufo5260987423-magic-scheme-0.0.6
-
nixos-25.11 ufo5260987423-magic-scheme-0.0.6
- nixos-25.11-small ufo5260987423-magic-scheme-0.0.6
- nixpkgs-25.11-darwin ufo5260987423-magic-scheme-0.0.6
Package maintainers
-
@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>
-
@rc-zb Xiao Haifan <rc-zb@outlook.com>
-
@doronbehar Doron Behar <me@doronbehar.com>
-
@GNUqb114514 qb114514 <GNUqb114514@outlook.com>
-
@danc86 Dan Callaghan <djc@djc.id.au>
-
@jopejoe1 jopejoe1 <nixpkgs@missing.ninja>
-
@sternenseemann Lukas Epple <sternenseemann@systemli.org>
-
@andersk Anders Kaseorg <andersk@mit.edu>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>