Nixpkgs security tracker

Untriaged

Permalink CVE-2026-32948

created 3 weeks, 4 days ago

sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7.

References

https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw x_refsource_CONFIRM
https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e x_refsource_MISC
https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800 x_refsource_MISC
https://github.com/sbt/sbt/releases/tag/v1.12.7 x_refsource_MISC

Affected products

sbt

==>= 0.9.5, < 1.12.7

Matching in nixpkgs

pkgs.sbt

Build tool for Scala, Java and more

nixos-unstable 1.12.4
- nixpkgs-unstable 1.12.4
- nixos-unstable-small 1.12.4
nixos-25.11 1.11.7
- nixos-25.11-small 1.11.7
- nixpkgs-25.11-darwin 1.11.7

pkgs.usbtop

Top utility that shows an estimated instantaneous bandwidth on USB buses and devices

nixos-unstable 1.0
- nixpkgs-unstable 1.0
- nixos-unstable-small 1.0
nixos-25.11 1.0
- nixos-25.11-small 1.0
- nixpkgs-25.11-darwin 1.0

pkgs.sbt-extras

A more featureful runner for sbt, the simple/scala/standard build tool

nixos-unstable 2025-08-25
- nixpkgs-unstable 2025-08-25
- nixos-unstable-small 2025-08-25
nixos-25.11 2025-08-25
- nixos-25.11-small 2025-08-25
- nixpkgs-25.11-darwin 2025-08-25