CVE-2025-64766

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-64766
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64766.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-64766
Aliases
  • GHSA-58m4-5wg3-5g5v
Published
2025-11-17T21:38:10.023Z
Modified
2026-03-01T06:33:41.412230Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
NixOS has hardcoded credentials in Onlyoffice module
Details

NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, collaboration, and management. In versions from 22.11 to before 25.05 and versions before Unstable 25.11, a hard-coded secret was used in the NixOS module for the OnlyOffice document server to protect its file cache. An attacker with knowledge of an existing revision ID could use this secret to obtain a document. In practice, an arbitrary revision ID should be hard to obtain. The primary impact is likely the access to known documents from users with expired access. This issue was resolved in NixOS unstable version 25.11 and version 25.05.

Database specific 
{
    "cwe_ids": [
        "CWE-798"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64766.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/nixos/nixpkgs

Affected ranges

Type
GIT
Repo
https://github.com/nixos/nixpkgs
Events
Introduced
4d2b37a84fad1091b9de401eb450aae66f1a741e
Fixed
c46290747b2aaf090f48a478270feb858837bf11
Database specific 
{
    "versions": [
        {
            "introduced": "22.11"
        },
        {
            "fixed": "25.05"
        }
    ]
}
Type
GIT
Repo
https://github.com/nixos/nixpkgs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e56e0beed4312a89b60fe312ee2241f7a1627f76
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "Unstable25.11"
        }
    ]
}

Affected versions

0.*
0.1
0.13
0.14
0.2
0.3
0.4
15.*
15.09-beta
16.*
16.09-beta
17.*
17.09-beta
18.*
18.03-beta
18.09-beta
21.*
21.11-pre
22.*
22.05-pre
23.*
23.05-pre
23.11-beta
23.11-pre
24.*
24.05-pre
24.11-pre
Other
binary
black@2016-05-13
v192
v206
v208
last-glibc-2.*
last-glibc-2.13
release-16.*
release-16.03-start

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64766.json"