What is the CVSS score of CVE-2025-53819?

CVE-2025-53819 has a CVSS 3.1 base score of 7.9 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of macOS are affected by CVE-2025-53819?

CVE-2025-53819 affects Nix package manager users on macOS, where build processes execute with root privileges instead of restricted build users, creating a significant privilege escalation risk.. A patch is available.

How to fix or mitigate CVE-2025-53819?

Within 24 hours: Identify all systems running Nix 2.30.0 on macOS and assess their role in your CI/CD pipeline and development workflows. Within 7 days: Implement network isolation for affected build systems and disable Nix builds on macOS 2.30.0 environments until mitigation is available. Within 30 days: Monitor for Nix 2.30.1+ release and plan immediate upgrades; conduct a build artifact integrity audit to identify any potentially compromised outputs.

macOS CVE-2025-53819

EUVD-2025-21392 HIGH

Privilege Dropping / Lowering Errors (CWE-271)

2025-07-14 security-advisories@github.com

Information Disclosure Apple macOS

7.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

Low

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 16, 2026 - 09:43 euvd

EUVD-2025-21392

Analysis Generated

Mar 16, 2026 - 09:43 vuln.today

CVE Published

Jul 14, 2025 - 21:15 nvd

HIGH 7.9

DescriptionNVD

Nix is a package manager for Linux and other Unix systems. Builds with Nix 2.30.0 on macOS were executed with elevated privileges (root), instead of the build users. The fix was applied to Nix 2.30.1. No known workarounds are available.

AnalysisAI

CVE-2025-53819 is a privilege escalation vulnerability in Nix 2.30.0 on macOS where package builds are incorrectly executed with root privileges instead of restricted build user accounts. This affects macOS systems running Nix 2.30.0, allowing local attackers with standard user privileges to execute arbitrary code with root-level access during package builds. The vulnerability was patched in Nix 2.30.1, and no public exploits or known workarounds are currently available, though the high CVSS score (7.9) reflects the severity of privilege escalation with potential system-wide impact.

Technical ContextAI

Nix is a purely functional package manager that uses declarative configuration and implements multi-user build isolation through dedicated unprivileged build users. The vulnerability stems from CWE-271 (Improper Privilege Management), indicating a flaw in the privilege dropping mechanism on macOS. On Unix-like systems, Nix normally spawns builds under restricted user accounts to sandbox package builds and prevent malicious or buggy build scripts from gaining system access. The macOS implementation in version 2.30.0 failed to properly enforce this user context switching, causing build processes to execute with the invoking user's privileges (potentially root if sudo was used, or with elevated capabilities) rather than the intended unprivileged build user. This is specific to the macOS platform; Linux builds were not affected. The affected CPE scope includes nix-package-manager versions 2.30.0 on macOS systems (cpe:2.3:a:nixos:nix:2.30.0:*:*:*:*:macos:*:*).

RemediationAI

{'action': 'Upgrade Nix immediately', 'details': "Update from Nix 2.30.0 to Nix 2.30.1 or later. On macOS systems, run 'nix upgrade-nix' or reinstall via the official installer from https://nixos.org/download.html"} {'action': 'Verify patch installation', 'details': "Confirm version with 'nix --version' and ensure output shows 2.30.1 or higher"} {'action': 'No workarounds available', 'details': 'The vendor explicitly noted no known workarounds; patching is the only mitigation'} {'action': 'Review build audit logs', 'details': 'On systems that ran Nix 2.30.0, audit any packages built during the vulnerable period, as builds may have executed with elevated privileges'} {'action': 'Restrict Nix access if patching delayed', 'details': 'If immediate patching is not possible, restrict Nix invocation to trusted administrators only via file permissions and sudo rules'}

More from same product – last 7 days

CVE-2026-44739 HIGH This Week

8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config

CVE-2026-5817 HIGH This Week

8.2 May 22

Arbitrary code execution in Docker Model Runner's vllm-metal inference backend on macOS allows any container on the Dock

CVE-2026-5843 HIGH This Week

8.2 May 22

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to escape

CVE-2025-43306 HIGH This Week

7.8 May 26

Local privilege escalation in Apple macOS allows a malicious app already running with low privileges to elevate to root

CVE-2026-49237 HIGH This Week

7.8 May 28

Local privilege escalation in Canonical Multipass for macOS before 1.16.3 allows a low-privileged local user to obtain r

Vendor StatusVendor

Ubuntu

Priority: Medium

nix

Release	Status	Version
jammy	not-affected	macOS only
noble	not-affected	macOS only
plucky	not-affected	macOS only
upstream	not-affected	debian: Specific to MacOS

Debian

nix

Release	Status	Fixed Version	Urgency
bullseye	fixed	2.3.7+dfsg1-1	-
bookworm	fixed	2.8.0-1.1	-
trixie	fixed	2.26.3+dfsg-1	-
forky, sid	fixed	2.32.5+dfsg-2	-
(unstable)	not-affected	-	-

CVE-2025-53819 vulnerability details – vuln.today

Back