We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-32435

Hydra no restricted eval after nix-eval-jobs migration



Description

Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys, that are owned by the hydra-queue-runner and hydra-www users respectively.

Reserved 2025-04-08 | Published 2025-04-15 | Updated 2025-04-16 | Assigner GitHub_M


LOW: 2.6CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Problem types

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Product status

< 8d750265135b7e203520036a742afdf301b4013f
affected

References

github.com/.../hydra/security/advisories/GHSA-j7w7-965w-vjxw

github.com/NixOS/nixpkgs/pull/397919

github.com/...ommit/8d750265135b7e203520036a742afdf301b4013f

github.com/nix-community/nix-eval-jobs/releases/tag/v2.28.1

cve.org (CVE-2025-32435)

nvd.nist.gov (CVE-2025-32435)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-32435

Support options

Helpdesk Chat, Email, Knowledgebase