CVE-2025-54800

Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-party project as part of its build process. This also happens in other places like with hydra-release-name. This issue has been patched by commit dea1e16. A workaround involves either not building untrusted packages or not visiting the builds page.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/NixOS/hydra/commit/dea1e168f590efb27db32dbacc82b09e15f8ae4b	Patch
https://github.com/NixOS/hydra/security/advisories/GHSA-7qwg-q53v-vh99	Vendor Advisory Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:nixos:hydra:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-12 16:15

Updated : 2025-09-22 14:57

NVD link : CVE-2025-54800

Mitre link : CVE-2025-54800

CVE.ORG link : CVE-2025-54800

JSON object : View

Products Affected

nixos

hydra

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-54800", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-12T16:15:28.170", "references": [{"url": "https://github.com/NixOS/hydra/commit/dea1e168f590efb27db32dbacc82b09e15f8ae4b", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/NixOS/hydra/security/advisories/GHSA-7qwg-q53v-vh99", "tags": ["Vendor Advisory", "Patch"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-party project as part of its build process. This also happens in other places like with hydra-release-name. This issue has been patched by commit dea1e16. A workaround involves either not building untrusted packages or not visiting the builds page."}, {"lang": "es", "value": "Hydra es un servicio de integraci\u00f3n continua para proyectos basados en Nix. Antes del commit dea1e16, un paquete malicioso pod\u00eda introducir c\u00f3digo JavaScript arbitrario en la base de datos de Hydra, que se evaluaba autom\u00e1ticamente en el navegador del cliente al visitar la p\u00e1gina de compilaci\u00f3n. Esto podr\u00eda ser realizado por un proyecto de terceros como parte de su proceso de compilaci\u00f3n. Esto tambi\u00e9n ocurre en otros lugares, como con hydra-release-name. Este problema se ha corregido con el commit dea1e16. Una soluci\u00f3n alternativa consiste en no compilar paquetes no confiables o no visitar la p\u00e1gina de compilaciones."}], "lastModified": "2025-09-22T14:57:49.523", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nixos:hydra:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "778C10E5-6174-40F1-B9E5-E1EBFAA3148E", "versionEndExcluding": "2025-08-12"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}