CVE-2025-32435

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-32435

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32435.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-32435

Aliases

GHSA-j7w7-965w-vjxw

Published

2025-04-15T23:15:42Z

Modified

2025-04-16T13:25:37Z

Summary

[none]

Details

Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys, that are owned by the hydra-queue-runner and hydra-www users respectively.

References

https://github.com/NixOS/hydra/security/advisories/GHSA-j7w7-965w-vjxw
https://github.com/NixOS/hydra/commit/8d750265135b7e203520036a742afdf301b4013f
https://github.com/NixOS/nixpkgs/pull/397919
https://github.com/nix-community/nix-eval-jobs/releases/tag/v2.28.1

Affected packages

Git / github.com/nixos/hydra

Affected ranges

Type: GIT
Repo: https://github.com/nixos/hydra
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8d750265135b7e203520036a742afdf301b4013f