Nixpkgs security tracker
8.8 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
Microsoft UFO WebSocket role spoofing allows authenticated peer task hijacking
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK message claiming client_type="constellation" and target_id=<victim-device-id>. The server trusts the role and target values from the wire message rather than enforcing the role registered for that WebSocket connection. As a result, any authenticated WebSocket client with the shared server token can spoof the higher-privilege constellation role and dispatch attacker-controlled tasks to another connected device. The same client registry also allows duplicate client_id registration, overwriting an existing live client's stored websocket, role, and task protocol. This is an authenticated WebSocket role/identity spoofing issue leading to peer task hijacking.
References
-
https://github.com/microsoft/UFO/security/advisories/GHSA-qgx6-cvhg-jw7p x_refsource_CONFIRM
Affected products
- ==3.0.1-4-ge2626659
Matching in nixpkgs
pkgs.rufo
Ruby formatter
pkgs.tartufo
Tool to search through git repositories for high entropy strings and secrets
pkgs.ufolint
Linter for Unified Font Object (UFO) source code
pkgs.gohufont
A monospace bitmap font well suited for programming and terminal use
pkgs.nerd-fonts.gohufont
Nerd Fonts: Bitmap font, tall capitals and ascenders, small serifs
pkgs.akkuPackages.ufo-try
try-except to handle potential exception
pkgs.akkuPackages.ufo-match
This package is a dependable match macro library for chez scheme.
pkgs.akkuPackages.ufo-timer
This repository is a timer implementation based on Chez Scheme's thread mechanism.
pkgs.akkuPackages.ufo-socket
I did not edit Akku.manifest
pkgs.python312Packages.ufo2ft
Bridge from UFOs to FontTools objects
-
nixos-25.11 ufo2ft-3.6.2
- nixos-25.11-small ufo2ft-3.6.2
- nixpkgs-25.11-darwin ufo2ft-3.6.2
pkgs.python313Packages.ufo2ft
Bridge from UFOs to FontTools objects
-
nixos-unstable ufo2ft-3.7.0
- nixpkgs-unstable ufo2ft-3.7.0
- nixos-unstable-small ufo2ft-3.7.0
-
nixos-25.11 ufo2ft-3.6.2
- nixos-25.11-small ufo2ft-3.6.2
- nixpkgs-25.11-darwin ufo2ft-3.6.2
pkgs.python314Packages.ufo2ft
Bridge from UFOs to FontTools objects
-
nixos-unstable ufo2ft-3.7.0
- nixpkgs-unstable ufo2ft-3.7.0
- nixos-unstable-small ufo2ft-3.7.0
pkgs.python312Packages.ufolib2
Library to deal with UFO font sources
-
nixos-25.11 ufolib2-0.18.1
- nixos-25.11-small ufolib2-0.18.1
- nixpkgs-25.11-darwin ufolib2-0.18.1
pkgs.python312Packages.ufolint
Linter for Unified Font Object (UFO) source code
pkgs.python313Packages.ufolib2
Library to deal with UFO font sources
-
nixos-unstable ufolib2-0.18.1
- nixpkgs-unstable ufolib2-0.18.1
- nixos-unstable-small ufolib2-0.18.1
-
nixos-25.11 ufolib2-0.18.1
- nixos-25.11-small ufolib2-0.18.1
- nixpkgs-25.11-darwin ufolib2-0.18.1
pkgs.python313Packages.ufolint
Linter for Unified Font Object (UFO) source code
pkgs.python314Packages.ufolib2
Library to deal with UFO font sources
-
nixos-unstable ufolib2-0.18.1
- nixpkgs-unstable ufolib2-0.18.1
- nixos-unstable-small ufolib2-0.18.1
pkgs.python312Packages.ufomerge
Command line utility and Python library that merges two UFO source format fonts into a single file
pkgs.python313Packages.ufomerge
Command line utility and Python library that merges two UFO source format fonts into a single file
pkgs.akkuPackages.ufo-coroutines
This package is a dependable coroutine package for chez scheme.
pkgs.akkuPackages.ufo-thread-pool
This package is a dependable thread pool package for chez scheme.
pkgs.python312Packages.ufoprocessor
Read, write and generate UFOs with designspace data
pkgs.python313Packages.ufoprocessor
Read, write and generate UFOs with designspace data
pkgs.python314Packages.ufoprocessor
Read, write and generate UFOs with designspace data
pkgs.python312Packages.ufonormalizer
Script to normalize the XML and other data inside of a UFO
pkgs.python313Packages.ufo-extractor
Tools for extracting data from font binaries into UFO objects
pkgs.python313Packages.ufonormalizer
Script to normalize the XML and other data inside of a UFO
pkgs.python314Packages.ufonormalizer
Script to normalize the XML and other data inside of a UFO
pkgs.akkuPackages.ufo-threaded-function
This package contains threaded-map, threaded-vector-map and such threaded functions for chez scheme.
pkgs.vscode-extensions.ufo5260987423.magic-scheme
Adds support for Scheme(r6rs standard)
-
nixos-unstable ufo5260987423-magic-scheme-0.0.6
- nixpkgs-unstable ufo5260987423-magic-scheme-0.0.6
- nixos-unstable-small ufo5260987423-magic-scheme-0.0.6
-
nixos-25.11 ufo5260987423-magic-scheme-0.0.6
- nixos-25.11-small ufo5260987423-magic-scheme-0.0.6
- nixpkgs-25.11-darwin ufo5260987423-magic-scheme-0.0.6
Package maintainers
-
@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>
-
@rc-zb Xiao Haifan <rc-zb@outlook.com>
-
@doronbehar Doron Behar <me@doronbehar.com>
-
@GNUqb114514 qb114514 <GNUqb114514@outlook.com>
-
@danc86 Dan Callaghan <djc@djc.id.au>
-
@jopejoe1 jopejoe1 <nixpkgs@missing.ninja>
-
@sternenseemann Lukas Epple <sternenseemann@systemli.org>
-
@andersk Anders Kaseorg <andersk@mit.edu>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>