Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

Untriaged
Filter by:
With package: rubyPackages_3_3.html-pipeline

Found 4 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-25542
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 1 day, 5 hours ago Activity log
  • Created suggestion 1 day, 5 hours ago
Tekton Pipelines: VerificationPolicy regex pattern bypass via substring matching

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply.

Affected products

pipeline
  • ==>= 0.43.0, <= 1.11.0

Matching in nixpkgs

pkgs.pipeline

Watch YouTube and PeerTube videos in one place

pkgs.libpipeline

C library for manipulating pipelines of subprocesses in a flexible and convenient way

Package maintainers

Permalink CVE-2026-40923
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 day, 5 hours ago Activity log
  • Created suggestion 1 day, 5 hours ago
Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal paths by using .. path traversal components. The restriction check uses strings.HasPrefix without filepath.Clean, so a path like /tekton/home/../results passes validation but resolves to /tekton/results at runtime. This vulnerability is fixed in 1.11.1.

Affected products

pipeline
  • ==< 1.11.1

Matching in nixpkgs

pkgs.pipeline

Watch YouTube and PeerTube videos in one place

pkgs.libpipeline

C library for manipulating pipelines of subprocesses in a flexible and convenient way

Package maintainers

Permalink CVE-2026-40924
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 day, 5 hours ago Activity log
  • Created suggestion 1 day, 5 hours ago
Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response body within the 1-minute timeout window, causing the tekton-pipelines-resolvers pod to be OOM-killed by Kubernetes. Because all resolver types (Git, Hub, Bundle, Cluster, HTTP) run in the same pod, crashing this pod denies resolution service to the entire cluster. Repeated exploitation causes a sustained crash loop. The same vulnerable code path is reached by both the deprecated pkg/resolution/resolver/http and the current pkg/remoteresolution/resolver/http implementations. This vulnerability is fixed in 1.11.1.

Affected products

pipeline
  • ==< 1.11.1

Matching in nixpkgs

pkgs.pipeline

Watch YouTube and PeerTube videos in one place

pkgs.libpipeline

C library for manipulating pipelines of subprocesses in a flexible and convenient way

Package maintainers

Permalink CVE-2026-40161
7.7 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 day, 5 hours ago Activity log
  • Created suggestion 1 day, 5 hours ago
Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to 1.10.0, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token (GitHub PAT, GitLab token, etc.) by pointing serverURL to an attacker-controlled endpoint.

Affected products

pipeline
  • ==>= 1.0.0, <= 1.10.0

Matching in nixpkgs

pkgs.pipeline

Watch YouTube and PeerTube videos in one place

pkgs.libpipeline

C library for manipulating pipelines of subprocesses in a flexible and convenient way

Package maintainers