Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

NixOS — Vulnerabilities & Security Advisories 26

Browse all 26 CVE security advisories affecting NixOS. AI-powered Chinese analysis, POCs, and references for each vulnerability.

NixOS is a Linux distribution distinguished by its declarative configuration model and reproducible builds, primarily serving developers and system administrators seeking infrastructure stability. Its unique package management system isolates software environments, which inherently reduces dependency conflicts but introduces complexity in security auditing. Historically, vulnerabilities within the Nix ecosystem have frequently involved privilege escalation and remote code execution, often stemming from improper handling of user-supplied data in configuration files or build scripts. With 26 recorded CVEs, these flaws typically affect the package manager itself or specific packages built within the Nix store rather than the core kernel. Notable incidents have highlighted risks related to insecure temporary file creation and race conditions during package installation. While the architecture promotes integrity through cryptographic hashing, the steep learning curve can lead to misconfigurations that expose systems to unauthorized access or data leakage if not strictly managed.

Top products by NixOS: nix hydra nixpkgs calamares-nixos-extensions
CVE IDTitleCVSSSeverityPublished
CVE-2026-44029 Nix 安全漏洞 — NixCWE-36 5.3 Medium2026-05-05
CVE-2026-44028 Nix和lix 安全漏洞 — NixCWE-674 7.5 High2026-05-05
CVE-2026-39860 Nix sandbox escape: file write via symlink at FOD `.tmp` copy destination — nixCWE-61 9.0 Critical2026-04-08
CVE-2026-25740 Privilege escalation to the `CAP_NET_RAW` capability via the `programs.captive-browser` NixOS module — nixpkgsCWE-250 8.8AIHighAI2026-02-09
CVE-2026-25137 NixOs Odoo database and filestore publicly accessible with default odoo configuration — nixpkgsCWE-552 9.1 Critical2026-02-02
CVE-2026-23838 Tandoor Recipes module allows SQLite database to be externally accessible with the default settings — nixpkgsCWE-538 7.5AIHighAI2026-01-19
CVE-2025-64766 NixOS has hardcoded credentials in Onlyoffice module — nixpkgsCWE-798 5.3 Medium2025-11-17
CVE-2025-54864 Hydra missing authentication when triggering evaluations through GitHub and Gitea plugins — hydraCWE-306 7.5AIHighAI2025-08-12
CVE-2025-54800 Hydra persistent XSS in build metrics — hydraCWE-79 6.1AIMediumAI2025-08-12
CVE-2025-53819 Nix's privilege dropping to build user broke for macOS — nixCWE-271 7.9 High2025-07-14
CVE-2025-52991 Nix、lix和GNU Guix 安全漏洞 — NixCWE-276 3.2 Low2025-06-27
CVE-2025-52993 Nix、lix和GNU Guix 竞争条件问题漏洞 — NixCWE-362 5.6 Medium2025-06-27
CVE-2025-52992 Nix、lix和GNU Guix 安全漏洞 — NixCWE-732 3.2 Low2025-06-27
CVE-2025-46416 Nix、lix和GNU Guix 安全漏洞 — NixCWE-282 2.9 Low2025-06-27
CVE-2025-46415 Nix、lix和GNU Guix 安全漏洞 — NixCWE-367 3.2 Low2025-06-27
CVE-2025-32435 Hydra no restricted eval after nix-eval-jobs migration — hydraCWE-95 2.6 Low2025-04-15
CVE-2025-32438 Local privilege escalation in make-initrd-ng — nixpkgsCWE-378 8.8 High2025-04-15
CVE-2024-51481 Nix allows macOS sandbox escape via built-in builders — nixCWE-693 8.8 -2024-10-31
CVE-2024-47174 Credential leak when credentials are used with `<nix/fetchurl.nix>` — nixCWE-287 5.9 Medium2024-09-26
CVE-2024-45593 Nix affected by unsafe NAR unpacking — nixCWE-22 9.1 Critical2024-09-10
CVE-2024-45049 Nix Hydra Missing authentication when triggering evaluations — hydraCWE-306 7.5 High2024-08-27
CVE-2024-43378 calamares-nixos-extensions LUKS keyfile exposure regression on legacy BIOS systems — calamares-nixos-extensionsCWE-256 7.8 High2024-08-15
CVE-2024-38531 Nix sandbox escape — nixCWE-278 3.6 Low2024-06-28
CVE-2024-32657 Hydra has persistent XSS vulnerability serving HTML build outputs — hydraCWE-79 4.6 Medium2024-04-22
CVE-2024-27297 Nix Corruption of fixed-output derivations — nixCWE-367 6.3 Medium2024-03-11
CVE-2023-36476 `calamares-nixos-extensions` LUKS keyfile exposure — calamares-nixos-extensionsCWE-200 7.9 High2023-06-29

This page lists every published CVE security advisory associated with NixOS. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.