Severity by source
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the build chroot. A symlink, pointing to an arbitrary location in the filesystem, could be created by the derivation builder at that path. During output registration, the Nix process (running in the host mount namespace) would follow that symlink and overwrite the destination with the derivation's output contents. In multi-user installations, this allows all users able to submit builds to the Nix daemon (allowed-users - defaulting to all users) to gain root privileges by modifying sensitive files. This vulnerability is fixed in 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.
AnalysisAI
Local privilege escalation in Nix package manager daemon (versions prior to 2.34.5/2.33.4/2.32.7/2.31.4/2.30.4/2.29.3/2.28.6) allows unprivileged users to gain root access in multi-user Linux installations. Incomplete fix for CVE-2024-27297 permits symlink attacks during fixed-output derivation registration, enabling arbitrary file overwrites as root. Attackers exploit sandboxed build registration by placing symlinks in temporary output paths, causing the daemon to follow symlinks and overwrite sensitive system files with controlled content. Affects default configurations where all users can submit builds. No public exploit identified at time of analysis.
Technical ContextAI
CWE-61 path traversal via symlink during output registration. The Nix daemon operates in host mount namespace while temporary output resides inside build chroot. Builder creates symlink at predictable temporary path; daemon follows symlink during file copy, writing derivation output to arbitrary filesystem locations. Sandboxing isolation failure between builder and daemon contexts enables privilege boundary violation.
RemediationAI
Vendor-released patches: upgrade to Nix 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, or 2.28.6 depending on installed branch. Primary fix commits available at https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9, https://github.com/NixOS/nix/commit/4bc5a3510fa3735798f9ed3a2a30a3ea7b32343a, https://github.com/NixOS/nix/commit/7794354a982449927ee7401cdeb573ddd16c4688, and https://github.com/NixOS/nix/commit/a3163b9eabb952b4aa96e376dea95ebcca97b31a. Official security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-g3g9-5vj6-r3gj. Temporary mitigation for multi-user installations: restrict allowed-users in nix.conf to trusted administrators only, preventing untrusted build submissions. Single-user installations (daemon not running as root) have reduced impact. Verify patched version post-upgrade via nix --version.
Same weakness CWE-61 – UNIX Symbolic Link (Symlink) Following
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20626