Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

Untriaged

Filter by:

With package: python313Packages.intake-parquet

Found 1 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-33310

8.8 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 3 weeks, 4 days ago

Intake has a Command Injection via shell() Expansion in Parameter Defaults

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell(<command>), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system. Version 2.0.9 mitigates the issue by making getshell False by default everywhere.

References

https://github.com/intake/intake/security/advisories/GHSA-37g4-qqqv-7m99 x_refsource_CONFIRM
https://github.com/intake/intake/commit/d0c0b6b57c1cb3f73880655ded4a9b0e18e1fd1b x_refsource_MISC

Affected products

intake

==< 2.0.9

Matching in nixpkgs

pkgs.python312Packages.intake

Data load and catalog system

nixos-25.11 2.0.8
- nixos-25.11-small 2.0.8
- nixpkgs-25.11-darwin 2.0.8

pkgs.python313Packages.intake

Data load and catalog system

nixos-unstable 2.0.8
- nixpkgs-unstable 2.0.8
- nixos-unstable-small 2.0.8
nixos-25.11 2.0.8
- nixos-25.11-small 2.0.8
- nixpkgs-25.11-darwin 2.0.8

pkgs.python314Packages.intake

Data load and catalog system

nixos-unstable 2.0.8
- nixpkgs-unstable 2.0.8
- nixos-unstable-small 2.0.8

pkgs.python312Packages.intake-parquet

Parquet plugin for Intake

nixos-25.11 0.3.0
- nixos-25.11-small 0.3.0
- nixpkgs-25.11-darwin 0.3.0

pkgs.python313Packages.intake-parquet

Parquet plugin for Intake

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0
nixos-25.11 0.3.0
- nixos-25.11-small 0.3.0
- nixpkgs-25.11-darwin 0.3.0

pkgs.python314Packages.intake-parquet

Parquet plugin for Intake

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0

Package maintainers

@fabaff Fabian Affolter <mail@fabian-affolter.ch>

1