Browse all 26 CVE security advisories affecting NixOS. AI-powered Chinese analysis, POCs, and references for each vulnerability.
NixOS is a Linux distribution distinguished by its declarative configuration model and reproducible builds, primarily serving developers and system administrators seeking infrastructure stability. Its unique package management system isolates software environments, which inherently reduces dependency conflicts but introduces complexity in security auditing. Historically, vulnerabilities within the Nix ecosystem have frequently involved privilege escalation and remote code execution, often stemming from improper handling of user-supplied data in configuration files or build scripts. With 26 recorded CVEs, these flaws typically affect the package manager itself or specific packages built within the Nix store rather than the core kernel. Notable incidents have highlighted risks related to insecure temporary file creation and race conditions during package installation. While the architecture promotes integrity through cryptographic hashing, the steep learning curve can lead to misconfigurations that expose systems to unauthorized access or data leakage if not strictly managed.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-54864 | Hydra missing authentication when triggering evaluations through GitHub and Gitea plugins — hydraCWE-306 | 7.5AI | HighAI | 2025-08-12 |
| CVE-2025-54800 | Hydra persistent XSS in build metrics — hydraCWE-79 | 6.1AI | MediumAI | 2025-08-12 |
| CVE-2025-32435 | Hydra no restricted eval after nix-eval-jobs migration — hydraCWE-95 | 2.6 | Low | 2025-04-15 |
| CVE-2024-45049 | Nix Hydra Missing authentication when triggering evaluations — hydraCWE-306 | 7.5 | High | 2024-08-27 |
| CVE-2024-32657 | Hydra has persistent XSS vulnerability serving HTML build outputs — hydraCWE-79 | 4.6 | Medium | 2024-04-22 |
This page lists every published CVE security advisory associated with NixOS. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.