Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses
Filter by:
With package: tpm2-totp-with-plymouth

Found 1 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-23941
created 1 month, 1 week ago Activity log
  • Created suggestion 1 month, 1 week ago
Request smuggling via first-wins Content-Length parsing in inets httpd

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7. The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.

Affected products

inets
  • *
  • <pkg:otp/inets@*
erlang/otp
  • *

Matching in nixpkgs

pkgs.cotp

Trustworthy, encrypted, command-line TOTP/HOTP authenticator app with import functionality

pkgs.otpw

One-time password login package

  • nixos-unstable 1.5
    • nixpkgs-unstable 1.5
    • nixos-unstable-small 1.5
  • nixos-25.11 1.5
    • nixos-25.11-small 1.5
    • nixpkgs-25.11-darwin 1.5

pkgs.libcotp

C library that generates TOTP and HOTP

pkgs.otpauth

Google Authenticator migration decoder

pkgs.hotpatch

Hot patching executables on Linux using .so file injection

  • nixos-unstable 0.2
    • nixpkgs-unstable 0.2
    • nixos-unstable-small 0.2
  • nixos-25.11 0.2
    • nixos-25.11-small 0.2
    • nixpkgs-25.11-darwin 0.2

pkgs.totp-cli

Authy/Google Authenticator like TOTP CLI tool written in Go

pkgs.otpclient

Highly secure and easy to use OTP client written in C/GTK that supports both TOTP and HOTP

pkgs.tpm2-totp

Attest the trustworthiness of a device against a human using time-based one-time passwords

pkgs.godotpcktool

Standalone tool for extracting and creating Godot .pck files

  • nixos-unstable 2.2
    • nixpkgs-unstable 2.2
    • nixos-unstable-small 2.2
  • nixos-25.11 2.2
    • nixos-25.11-small 2.2
    • nixpkgs-25.11-darwin 2.2

pkgs.nitrotpm-tools

Collection of utilities for working with NitroTPM attestation

pkgs.gnomeExtensions.totp

Generate Time-based One-Time Passwords (TOTP aka OTP) for websites that use Two-Factor Authentication (2FA) like Google, Facebook, Discord, Amazon, Steam, etc.

  • nixos-unstable 52
    • nixpkgs-unstable 52
    • nixos-unstable-small 52
  • nixos-25.11 46
    • nixos-25.11-small 46
    • nixpkgs-25.11-darwin 46

pkgs.gnomeExtensions.bootpaper

Randomly selects a new wallpaper on startup from local folder

  • nixos-unstable 6
    • nixpkgs-unstable 6
    • nixos-unstable-small 6
  • nixos-25.11 6
    • nixos-25.11-small 6
    • nixpkgs-25.11-darwin 6

Package maintainers