Nixpkgs security tracker
7.5 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
by @fricklerhandwerk Activity log
- Created suggestion
- @fricklerhandwerk accepted
- @fricklerhandwerk dismissed (not in Nixpkgs)
Tekton Pipelines: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to before 1.11.0, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack=<binary>. Combined with the validateRepoURL function explicitly permitting URLs that begin with / (local filesystem paths), a tenant who can submit ResolutionRequest objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The tekton-pipelines-resolvers ServiceAccount holds cluster-wide get/list/watch on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration. This vulnerability is fixed in 1.11.1.
References
-
https://github.com/tektoncd/pipeline/security/advisories/GHSA-94jr-7pqp-xhcq x_refsource_CONFIRM
-
https://github.com/tektoncd/pipeline/releases/tag/v1.11.1 x_refsource_MISC
Affected products
- ==>= 1.0.0, < 1.11.1
Matching in nixpkgs
pkgs.pipeline
Watch YouTube and PeerTube videos in one place
pkgs.libpipeline
C library for manipulating pipelines of subprocesses in a flexible and convenient way
pkgs.haskellPackages.pipeline
Continuation patterns
pkgs.rubyPackages.html-pipeline
None
pkgs.woodpecker-pipeline-transform
Utility to convert different pipelines to Woodpecker CI pipelines
pkgs.rubyPackages_3_3.html-pipeline
None
pkgs.rubyPackages_3_4.html-pipeline
None
pkgs.rubyPackages_4_0.html-pipeline
None
pkgs.python312Packages.pyannote-pipeline
Tunable pipelines
pkgs.python313Packages.pyannote-pipeline
Tunable pipelines
pkgs.python314Packages.pyannote-pipeline
Tunable pipelines
pkgs.haskellPackages.amazonka-codepipeline
Amazon CodePipeline SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
-
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16
pkgs.haskellPackages.amazonka-datapipeline
Amazon Data Pipeline SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
-
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16
pkgs.prometheus-gitlab-ci-pipelines-exporter
Prometheus / OpenMetrics exporter for GitLab CI pipelines insights
pkgs.python312Packages.mypy-boto3-codepipeline
Type annotations for boto3 codepipeline
-
nixos-25.11 boto3-codepipeline-1.41.0
- nixos-25.11-small boto3-codepipeline-1.41.0
- nixpkgs-25.11-darwin boto3-codepipeline-1.41.0
pkgs.python312Packages.mypy-boto3-datapipeline
Type annotations for boto3 datapipeline
-
nixos-25.11 boto3-datapipeline-1.41.0
- nixos-25.11-small boto3-datapipeline-1.41.0
- nixpkgs-25.11-darwin boto3-datapipeline-1.41.0
pkgs.python312Packages.pysigma-pipeline-sysmon
Library to support Sysmon pipeline for pySigma
pkgs.python313Packages.mypy-boto3-codepipeline
Type annotations for boto3 codepipeline
-
nixos-unstable boto3-codepipeline-1.42.3
- nixpkgs-unstable boto3-codepipeline-1.42.3
- nixos-unstable-small boto3-codepipeline-1.42.3
-
nixos-25.11 boto3-codepipeline-1.41.0
- nixos-25.11-small boto3-codepipeline-1.41.0
- nixpkgs-25.11-darwin boto3-codepipeline-1.41.0
pkgs.python313Packages.mypy-boto3-datapipeline
Type annotations for boto3 datapipeline
-
nixos-unstable boto3-datapipeline-1.42.3
- nixpkgs-unstable boto3-datapipeline-1.42.3
- nixos-unstable-small boto3-datapipeline-1.42.3
-
nixos-25.11 boto3-datapipeline-1.41.0
- nixos-25.11-small boto3-datapipeline-1.41.0
- nixpkgs-25.11-darwin boto3-datapipeline-1.41.0
pkgs.python313Packages.pysigma-pipeline-sysmon
Library to support Sysmon pipeline for pySigma
pkgs.python314Packages.mypy-boto3-codepipeline
Type annotations for boto3 codepipeline
-
nixos-unstable boto3-codepipeline-1.42.3
- nixpkgs-unstable boto3-codepipeline-1.42.3
- nixos-unstable-small boto3-codepipeline-1.42.3
pkgs.python314Packages.mypy-boto3-datapipeline
Type annotations for boto3 datapipeline
-
nixos-unstable boto3-datapipeline-1.42.3
- nixpkgs-unstable boto3-datapipeline-1.42.3
- nixos-unstable-small boto3-datapipeline-1.42.3
pkgs.python314Packages.pysigma-pipeline-sysmon
Library to support Sysmon pipeline for pySigma
pkgs.pkgsRocm.python3Packages.pyannote-pipeline
Tunable pipelines
pkgs.python312Packages.pysigma-pipeline-windows
Library to support Windows service pipeline for pySigma
pkgs.python313Packages.pysigma-pipeline-windows
Library to support Windows service pipeline for pySigma
pkgs.python314Packages.pysigma-pipeline-windows
Library to support Windows service pipeline for pySigma
pkgs.azure-cli-extensions.monitor-pipeline-group
Microsoft Azure Command-Line Tools MonitorPipelineGroup Extension
pkgs.home-assistant-component-tests.assist_pipeline
Open source home automation that puts local control and privacy first
pkgs.python312Packages.pysigma-pipeline-crowdstrike
Library to support CrowdStrike pipeline for pySigma
pkgs.python313Packages.pysigma-pipeline-crowdstrike
Library to support CrowdStrike pipeline for pySigma
pkgs.python314Packages.pysigma-pipeline-crowdstrike
Library to support CrowdStrike pipeline for pySigma
pkgs.tests.home-assistant-components.assist_pipeline
Open source home automation that puts local control and privacy first
pkgs.python312Packages.types-aiobotocore-codepipeline
Type annotations for aiobotocore codepipeline
pkgs.python312Packages.types-aiobotocore-datapipeline
Type annotations for aiobotocore datapipeline
pkgs.python313Packages.types-aiobotocore-codepipeline
Type annotations for aiobotocore codepipeline
pkgs.python313Packages.types-aiobotocore-datapipeline
Type annotations for aiobotocore datapipeline
pkgs.haskellPackages.amazonka-chime-sdk-media-pipelines
Amazon Chime SDK Media Pipelines SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
-
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16
pkgs.python312Packages.mypy-boto3-chime-sdk-media-pipelines
Type annotations for boto3 chime-sdk-media-pipelines
-
nixos-25.11 boto3-chime-sdk-media-pipelines-1.41.0
- nixos-25.11-small boto3-chime-sdk-media-pipelines-1.41.0
- nixpkgs-25.11-darwin boto3-chime-sdk-media-pipelines-1.41.0
pkgs.python313Packages.mypy-boto3-chime-sdk-media-pipelines
Type annotations for boto3 chime-sdk-media-pipelines
-
nixos-unstable boto3-chime-sdk-media-pipelines-1.42.3
- nixpkgs-unstable boto3-chime-sdk-media-pipelines-1.42.3
- nixos-unstable-small boto3-chime-sdk-media-pipelines-1.42.3
-
nixos-25.11 boto3-chime-sdk-media-pipelines-1.41.0
- nixos-25.11-small boto3-chime-sdk-media-pipelines-1.41.0
- nixpkgs-25.11-darwin boto3-chime-sdk-media-pipelines-1.41.0
pkgs.python314Packages.mypy-boto3-chime-sdk-media-pipelines
Type annotations for boto3 chime-sdk-media-pipelines
-
nixos-unstable boto3-chime-sdk-media-pipelines-1.42.3
- nixpkgs-unstable boto3-chime-sdk-media-pipelines-1.42.3
- nixos-unstable-small boto3-chime-sdk-media-pipelines-1.42.3
pkgs.python312Packages.types-aiobotocore-chime-sdk-media-pipelines
Type annotations for aiobotocore chime-sdk-media-pipelines
Package maintainers
-
@ulrikstrid Ulrik Strid <ulrik.strid@outlook.com>
-
@katexochen Paul Meyer <katexochen0@gmail.com>
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
-
@normalcea normalcea <normalc@posteo.net>
-
@chuangzhu Chuang Zhu <nixos@chuang.cz>
-
@mvisonneau Maxime VISONNEAU <maxime@visonneau.fr>
-
@mmahut Marek Mahut <marek.mahut@gmail.com>
-
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>
-
@ambroisie Bruno BELANYI <bruno.nixpkgs@belanyi.fr>
-
@luftmensch-luftmensch Valentino Bocchetti <valentinobocchetti59@gmail.com>