CVE-2025-32435

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-32435

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32435.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-32435

Aliases

GHSA-j7w7-965w-vjxw

Published

2025-04-15T23:15:42Z

Modified

2025-05-28T10:15:37.150454Z

Summary

[none]

Details

Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys, that are owned by the hydra-queue-runner and hydra-www users respectively.

References

Affected packages

Git / github.com/nix-community/nix-eval-jobs

Affected ranges

Type: GIT
Repo: https://github.com/nix-community/nix-eval-jobs
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e376e07271dd405d5427e2dd4a29864fb5347f34

Type: GIT
Repo: https://github.com/nixos/hydra
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8d750265135b7e203520036a742afdf301b4013f

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v2.*

v2.12.0

v2.12.1

v2.14.0

v2.17.0

v2.17.1

v2.18.0

v2.21.0

v2.22.1

v2.23.0

v2.24.0

v2.24.1

v2.25.0

v2.26.0

v2.27.0

v2.28.0

v2.9.0