Nixpkgs security tracker

Untriaged

Permalink CVE-2026-25858

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

macrozheng mall <= 1.0.3 Unauthenticated Password Reset via OTP Disclosure

macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.

References

https://github.com/macrozheng/mall/issues/946 issue-tracking
https://www.macrozheng.com/ product
https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-r… third-party-advisory

Affected products

mall

=<1.0.3

Matching in nixpkgs

pkgs.dmalloc

Debug Malloc memory allocation debugging C library

nixos-unstable 5.6.5
- nixpkgs-unstable 5.6.5
- nixos-unstable-small 5.6.5
nixos-25.11 5.6.5
- nixpkgs-25.11-darwin 5.6.5

pkgs.smallwm

Small X window manager, extended from tinywm

nixos-unstable 0-unstable-2020-02-28
- nixpkgs-unstable 0-unstable-2020-02-28
- nixos-unstable-small 0-unstable-2020-02-28
nixos-25.11 0-unstable-2020-02-28
- nixpkgs-25.11-darwin 0-unstable-2020-02-28

pkgs.jemalloc

General purpose malloc(3) implementation

nixos-unstable 5.3.0
- nixpkgs-unstable 5.3.0-unstable-2025-09-12
- nixos-unstable-small 5.3.0-unstable-2025-09-12
nixos-25.11 5.3.0-unstable-2025-09-12
- nixpkgs-25.11-darwin 5.3.0-unstable-2025-09-12

pkgs.mimalloc

Compact, fast, general-purpose memory allocator

nixos-unstable 3.1.5
- nixpkgs-unstable 3.1.5
- nixos-unstable-small 3.1.5
nixos-25.11 3.1.5
- nixpkgs-25.11-darwin 3.1.5

pkgs.kicad-small

Open Source Electronics Design Automation suite, without 3D models

nixos-unstable 9.0.2
- nixpkgs-unstable 9.0.7
- nixos-unstable-small 9.0.7
nixos-25.11 9.0.5
- nixpkgs-25.11-darwin 9.0.5

pkgs.gnu-smalltalk

Free implementation of the Smalltalk-80 language

nixos-unstable 3.2.5
- nixpkgs-unstable 3.2.5
- nixos-unstable-small 3.2.5
nixos-25.11 3.2.5
- nixpkgs-25.11-darwin 3.2.5

pkgs.darwin.libmalloc

None

nixos-unstable 11.0

pkgs.mallard-ducktype

Parser for the lightweight Ducktype syntax for Mallard

nixos-unstable 1.0.2
- nixpkgs-unstable 1.0.2
- nixos-unstable-small 1.0.2
nixos-25.11 1.0.2
- nixpkgs-25.11-darwin 1.0.2

pkgs.rust-jemalloc-sys

General purpose malloc(3) implementation

nixos-unstable 5.3.0
- nixpkgs-unstable 5.3.0-unstable-2025-09-12
- nixos-unstable-small 5.3.0-unstable-2025-09-12
nixos-25.11 5.3.0-unstable-2025-09-12
- nixpkgs-25.11-darwin 5.3.0-unstable-2025-09-12

pkgs.pari-seadata-small

PARI database needed by ellap for large primes

nixos-unstable 20090618
- nixpkgs-unstable 20090618
- nixos-unstable-small 20090618
nixos-25.11 20090618
- nixpkgs-25.11-darwin 20090618

pkgs.kicad-testing-small

Open Source Electronics Design Automation suite, without 3D models

nixos-unstable 9.0-2025-02-21
- nixpkgs-unstable 9.0-2026-01-10
- nixos-unstable-small 9.0-2026-01-10
nixos-25.11 9.0-2025-02-21
- nixpkgs-25.11-darwin 9.0-2025-02-21

pkgs.kicad-unstable-small

Open Source EDA suite, latest on master branch, without 3D models

nixos-unstable 878cf768d6
- nixpkgs-unstable 878cf768d6
- nixos-unstable-small 878cf768d6
nixos-25.11 878cf768d6
- nixpkgs-25.11-darwin 878cf768d6

pkgs.graphene-hardened-malloc

Hardened allocator designed for modern systems

nixos-unstable 2025041100
- nixpkgs-unstable 2025092700
- nixos-unstable-small 2025092700
nixos-25.11 2025092700
- nixpkgs-25.11-darwin 2025092700

pkgs.haskellPackages.smallcheck

A property-based testing library

nixos-unstable 1.2.1.1
- nixpkgs-unstable 1.2.1.1
- nixos-unstable-small 1.2.1.1
nixos-25.11 1.2.1.1
- nixpkgs-25.11-darwin 1.2.1.1

pkgs.rust-jemalloc-sys-unprefixed

General purpose malloc(3) implementation

nixos-unstable 5.3.0
- nixpkgs-unstable 5.3.0-unstable-2025-09-12
- nixos-unstable-small 5.3.0-unstable-2025-09-12
nixos-25.11 5.3.0-unstable-2025-09-12
- nixpkgs-25.11-darwin 5.3.0-unstable-2025-09-12

pkgs.python312Packages.marshmallow

Library for converting complex objects to and from simple Python datatypes

nixos-unstable 3.26.1
nixos-25.11 3.26.1
- nixpkgs-25.11-darwin 3.26.1

pkgs.python313Packages.marshmallow

Library for converting complex objects to and from simple Python datatypes

nixos-unstable 3.26.1
- nixpkgs-unstable 4.1.2
- nixos-unstable-small 4.1.2
nixos-25.11 3.26.1
- nixpkgs-25.11-darwin 3.26.1

pkgs.python314Packages.marshmallow

Library for converting complex objects to and from simple Python datatypes

nixos-unstable -
- nixpkgs-unstable 4.1.2
- nixos-unstable-small 4.1.2

pkgs.haskellPackages.lazysmallcheck

A library for demand-driven testing of Haskell programs

nixos-unstable 0.6
- nixpkgs-unstable 0.6
- nixos-unstable-small 0.6
nixos-25.11 0.6
- nixpkgs-25.11-darwin 0.6

pkgs.haskellPackages.hspec-smallcheck

SmallCheck support for the Hspec testing framework

nixos-unstable 0.5.3
- nixpkgs-unstable 0.5.3
- nixos-unstable-small 0.5.3
nixos-25.11 0.5.3
- nixpkgs-25.11-darwin 0.5.3

pkgs.haskellPackages.tasty-smallcheck

SmallCheck support for the Tasty test framework

nixos-unstable 0.8.2
- nixpkgs-unstable 0.8.2
- nixos-unstable-small 0.8.2
nixos-25.11 0.8.2
- nixpkgs-25.11-darwin 0.8.2

pkgs.python312Packages.mallard-ducktype

Parser for the lightweight Ducktype syntax for Mallard

nixos-unstable 1.0.2
nixos-25.11 1.0.2
- nixpkgs-25.11-darwin 1.0.2

pkgs.python313Packages.mallard-ducktype

Parser for the lightweight Ducktype syntax for Mallard

nixos-unstable 1.0.2
- nixpkgs-unstable 1.0.2
- nixos-unstable-small 1.0.2
nixos-25.11 1.0.2
- nixpkgs-25.11-darwin 1.0.2

pkgs.python314Packages.mallard-ducktype

Parser for the lightweight Ducktype syntax for Mallard

nixos-unstable -
- nixpkgs-unstable 1.0.2
- nixos-unstable-small 1.0.2

pkgs.python312Packages.flask-marshmallow

Flask + marshmallow for beautiful APIs

nixos-unstable 1.3.0
nixos-25.11 1.3.0
- nixpkgs-25.11-darwin 1.3.0

pkgs.python313Packages.flask-marshmallow

Flask + marshmallow for beautiful APIs

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-25.11 1.3.0
- nixpkgs-25.11-darwin 1.3.0

pkgs.python314Packages.flask-marshmallow

Flask + marshmallow for beautiful APIs

nixos-unstable -
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0

pkgs.haskellPackages.small-bytearray-builder

Serialize to bytes

nixos-unstable 0.3.7.0
- nixpkgs-unstable 0.3.7.0
- nixos-unstable-small 0.3.7.0
nixos-25.11 0.3.7.0
- nixpkgs-25.11-darwin 0.3.7.0

pkgs.python312Packages.marshmallow-dataclass

Automatic generation of marshmallow schemas from dataclasses

nixos-unstable 8.7.1
nixos-25.11 8.7.1
- nixpkgs-25.11-darwin 8.7.1

pkgs.python312Packages.marshmallow-polyfield

Extension to Marshmallow to allow for polymorphic fields

nixos-unstable 5.11
nixos-25.11 5.11
- nixpkgs-25.11-darwin 5.11

pkgs.python313Packages.marshmallow-dataclass

Automatic generation of marshmallow schemas from dataclasses

nixos-unstable 8.7.1
- nixpkgs-unstable 8.7.1
- nixos-unstable-small 8.7.1
nixos-25.11 8.7.1
- nixpkgs-25.11-darwin 8.7.1

pkgs.python313Packages.marshmallow-polyfield

Extension to Marshmallow to allow for polymorphic fields

nixos-unstable 5.11
nixos-25.11 5.11
- nixpkgs-25.11-darwin 5.11

pkgs.python314Packages.marshmallow-dataclass

Automatic generation of marshmallow schemas from dataclasses

nixos-unstable -
- nixpkgs-unstable 8.7.1
- nixos-unstable-small 8.7.1

pkgs.python312Packages.marshmallow-sqlalchemy

SQLAlchemy integration with marshmallow

nixos-unstable 1.4.2
nixos-25.11 1.4.2
- nixpkgs-25.11-darwin 1.4.2

pkgs.python313Packages.marshmallow-sqlalchemy

SQLAlchemy integration with marshmallow

nixos-unstable 1.4.2
- nixpkgs-unstable 1.4.2
- nixos-unstable-small 1.4.2
nixos-25.11 1.4.2
- nixpkgs-25.11-darwin 1.4.2

pkgs.python314Packages.marshmallow-sqlalchemy

SQLAlchemy integration with marshmallow

nixos-unstable -
- nixpkgs-unstable 1.4.2
- nixos-unstable-small 1.4.2

pkgs.haskellPackages.test-framework-smallcheck

Support for SmallCheck tests in test-framework

nixos-unstable 0.2
- nixpkgs-unstable 0.2
- nixos-unstable-small 0.2
nixos-25.11 0.2
- nixpkgs-25.11-darwin 0.2

pkgs.python312Packages.marshmallow-oneofschema

Marshmallow library extension that allows schema (de)multiplexing

nixos-unstable 3.2.0
nixos-25.11 3.2.0
- nixpkgs-25.11-darwin 3.2.0

pkgs.python313Packages.marshmallow-oneofschema

Marshmallow library extension that allows schema (de)multiplexing

nixos-unstable 3.2.0
- nixpkgs-unstable 3.2.0
- nixos-unstable-small 3.2.0
nixos-25.11 3.2.0
- nixpkgs-25.11-darwin 3.2.0

pkgs.python314Packages.marshmallow-oneofschema

Marshmallow library extension that allows schema (de)multiplexing

nixos-unstable -
- nixpkgs-unstable 3.2.0
- nixos-unstable-small 3.2.0

pkgs.tests.hardeningFlags.stackProtectorReenabledFromAllEnv

None

nixos-25.11 -

pkgs.tests.hardeningFlags-gcc.stackProtectorReenabledFromAllEnv

None

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small
nixos-25.11 -
- nixpkgs-25.11-darwin

pkgs.tests.hardeningFlags-clang.stackProtectorReenabledFromAllEnv

None

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small
nixos-25.11 -
- nixpkgs-25.11-darwin

Package maintainers

@azahi Azat Bahawi <azat@bahawi.net>
@risicle Robert Scott <code@humanleg.org.uk>
@evils Evils <evils.devils@protonmail.com>
@thoughtpolice Austin Seipp <aseipp@pobox.com>
@kamadorueda Kevin Amado <kamadorueda@gmail.com>
@collares Mauricio Collares <mauricio@collares.org>
@timokau Timo Kaufmann <timokau@zoho.com>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@NickCao Nick Cao <nickcao@nichi.co>
@cript0nauta Matías Lang <shareman1204@gmail.com>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@ivan-tkatchev Ivan Tkatchev <tkatchev@gmail.com>
@drewrisinger Drew Risinger <drisinger+nixpkgs@gmail.com>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.dmalloc

pkgs.smallwm

pkgs.jemalloc

pkgs.mimalloc

pkgs.kicad-small

pkgs.gnu-smalltalk

pkgs.darwin.libmalloc

pkgs.mallard-ducktype

pkgs.rust-jemalloc-sys

pkgs.pari-seadata-small

pkgs.kicad-testing-small

pkgs.kicad-unstable-small

pkgs.graphene-hardened-malloc

pkgs.haskellPackages.smallcheck

pkgs.rust-jemalloc-sys-unprefixed

pkgs.python312Packages.marshmallow

pkgs.python313Packages.marshmallow

pkgs.python314Packages.marshmallow

pkgs.haskellPackages.lazysmallcheck

pkgs.haskellPackages.hspec-smallcheck

pkgs.haskellPackages.tasty-smallcheck

pkgs.python312Packages.mallard-ducktype

pkgs.python313Packages.mallard-ducktype

pkgs.python314Packages.mallard-ducktype

pkgs.python312Packages.flask-marshmallow

pkgs.python313Packages.flask-marshmallow

pkgs.python314Packages.flask-marshmallow

pkgs.haskellPackages.small-bytearray-builder

pkgs.python312Packages.marshmallow-dataclass

pkgs.python312Packages.marshmallow-polyfield

pkgs.python313Packages.marshmallow-dataclass

pkgs.python313Packages.marshmallow-polyfield

pkgs.python314Packages.marshmallow-dataclass

pkgs.python312Packages.marshmallow-sqlalchemy

pkgs.python313Packages.marshmallow-sqlalchemy

pkgs.python314Packages.marshmallow-sqlalchemy

pkgs.haskellPackages.test-framework-smallcheck

pkgs.python312Packages.marshmallow-oneofschema

pkgs.python313Packages.marshmallow-oneofschema

pkgs.python314Packages.marshmallow-oneofschema

pkgs.tests.hardeningFlags.stackProtectorReenabledFromAllEnv

pkgs.tests.hardeningFlags-gcc.stackProtectorReenabledFromAllEnv

pkgs.tests.hardeningFlags-clang.stackProtectorReenabledFromAllEnv

Package maintainers