Nixpkgs security tracker
7.8 HIGH
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): HIGH
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
mise has a local settings bypass config trust checks
mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted and then reach dangerous directives such as [env] _.source, templates, hooks, or tasks.
References
-
https://github.com/jdx/mise/security/advisories/GHSA-436v-8fw5-4mj8 x_refsource_CONFIRM
Affected products
- ==>= 2026.2.18, <= 2026.4.5
Matching in nixpkgs
pkgs.mise
Front-end to your dev env
pkgs.haskellPackages.promises
Lazy demand-driven promises
pkgs.python312Packages.promise
Ultra-performant Promise implementation in Python
pkgs.python313Packages.promise
Ultra-performant Promise implementation in Python
pkgs.python314Packages.promise
Ultra-performant Promise implementation in Python
pkgs.ocamlPackages.promise_jsoo
Js_of_ocaml bindings to JS Promises with supplemental functions
pkgs.python312Packages.heatmiserv3
Library to interact with Heatmiser Themostats using V3 protocol
-
nixos-25.11 heatmiserv3-2.0.3
- nixos-25.11-small heatmiserv3-2.0.3
- nixpkgs-25.11-darwin heatmiserv3-2.0.3
pkgs.python313Packages.heatmiserv3
Library to interact with Heatmiser Themostats using V3 protocol
-
nixos-unstable heatmiserv3-2.0.6
- nixpkgs-unstable heatmiserv3-2.0.6
- nixos-unstable-small heatmiserv3-2.0.6
-
nixos-25.11 heatmiserv3-2.0.3
- nixos-25.11-small heatmiserv3-2.0.3
- nixpkgs-25.11-darwin heatmiserv3-2.0.3
pkgs.python314Packages.heatmiserv3
Library to interact with Heatmiser Themostats using V3 protocol
-
nixos-unstable heatmiserv3-2.0.6
- nixpkgs-unstable heatmiserv3-2.0.6
- nixos-unstable-small heatmiserv3-2.0.6
pkgs.haskellPackages.unsafe-promises
Create pure futures using lazy IO
pkgs.ocamlPackages_latest.promise_jsoo
Js_of_ocaml bindings to JS Promises with supplemental functions
Package maintainers
-
@konradmalik Konrad Malik <konrad.malik@gmail.com>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
-
@kamadorueda Kevin Amado <kamadorueda@gmail.com>
-
@bhootd Jayesh Bhoot <jb@jayeshbhoot.com>