CVE-2025-32435

Published: Apr 15, 2025Modified: Sep 22, 2025

2.6

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Exploitability: 1.2 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys, that are owned by the hydra-queue-runner and hydra-www users respectively.

Affected (1)

Products: Nixos: Hydra

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nixos Hydra	Before 2025-04-11

Related CWEs

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

References (4)

https://github.com/NixOS/hydra/commit/8d750265135b7e203520036a742afdf301b4013f

Source: security-advisories@github.com

Patch

https://github.com/NixOS/hydra/security/advisories/GHSA-j7w7-965w-vjxw

Source: security-advisories@github.com

Vendor Advisory

https://github.com/NixOS/nixpkgs/pull/397919

Source: security-advisories@github.com

Issue Tracking

https://github.com/nix-community/nix-eval-jobs/releases/tag/v2.28.1

Source: security-advisories@github.com

Release Notes

Timeline

No history available yet.