Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses

Filter by:

With package: zoraxy

Found 1 matching suggestions

View:

Compact

Detailed

Untriaged

Permalink CVE-2026-33529

3.3 LOW

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 3 weeks, 2 days ago

Zoraxy: Authenticated Path Traversal in Config Import leads to RCE

Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.

References

https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9 x_refsource_CONFIRM
https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b x_refsource_MISC
https://github.com/tobychui/zoraxy/releases/tag/v3.3.2 x_refsource_MISC

Affected products

zoraxy

==< 3.3.2

Matching in nixpkgs

pkgs.zoraxy

General purpose HTTP reverse proxy and forwarding tool written in Go

nixos-unstable 3.2.5r2
- nixpkgs-unstable 3.2.5r2
- nixos-unstable-small 3.3.1
nixos-25.11 3.2.5r2
- nixos-25.11-small 3.2.5r2
- nixpkgs-25.11-darwin 3.2.5r2

Package maintainers

@luftmensch-luftmensch Valentino Bocchetti <valentinobocchetti59@gmail.com>

1