EUVD-2025-21392
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
Lifecycle Timeline
4Description
Nix is a package manager for Linux and other Unix systems. Builds with Nix 2.30.0 on macOS were executed with elevated privileges (root), instead of the build users. The fix was applied to Nix 2.30.1. No known workarounds are available.
Analysis
CVE-2025-53819 is a privilege escalation vulnerability in Nix 2.30.0 on macOS where package builds are incorrectly executed with root privileges instead of restricted build user accounts. This affects macOS systems running Nix 2.30.0, allowing local attackers with standard user privileges to execute arbitrary code with root-level access during package builds. The vulnerability was patched in Nix 2.30.1, and no public exploits or known workarounds are currently available, though the high CVSS score (7.9) reflects the severity of privilege escalation with potential system-wide impact.
Technical Context
Nix is a purely functional package manager that uses declarative configuration and implements multi-user build isolation through dedicated unprivileged build users. The vulnerability stems from CWE-271 (Improper Privilege Management), indicating a flaw in the privilege dropping mechanism on macOS. On Unix-like systems, Nix normally spawns builds under restricted user accounts to sandbox package builds and prevent malicious or buggy build scripts from gaining system access. The macOS implementation in version 2.30.0 failed to properly enforce this user context switching, causing build processes to execute with the invoking user's privileges (potentially root if sudo was used, or with elevated capabilities) rather than the intended unprivileged build user. This is specific to the macOS platform; Linux builds were not affected. The affected CPE scope includes nix-package-manager versions 2.30.0 on macOS systems (cpe:2.3:a:nixos:nix:2.30.0:*:*:*:*:macos:*:*).
Affected Products
[{'vendor': 'NixOS', 'product': 'Nix Package Manager', 'affected_version': '2.30.0', 'platform': 'macOS', 'cpe': 'cpe:2.3:a:nixos:nix:2.30.0:*:*:*:*:macos:*:*', 'status': 'vulnerable'}, {'vendor': 'NixOS', 'product': 'Nix Package Manager', 'affected_version': '2.30.1', 'platform': 'macOS', 'cpe': 'cpe:2.3:a:nixos:nix:2.30.1:*:*:*:*:macos:*:*', 'status': 'patched'}]
Remediation
[{'action': 'Upgrade Nix immediately', 'details': "Update from Nix 2.30.0 to Nix 2.30.1 or later. On macOS systems, run 'nix upgrade-nix' or reinstall via the official installer from https://nixos.org/download.html"}, {'action': 'Verify patch installation', 'details': "Confirm version with 'nix --version' and ensure output shows 2.30.1 or higher"}, {'action': 'No workarounds available', 'details': 'The vendor explicitly noted no known workarounds; patching is the only mitigation'}, {'action': 'Review build audit logs', 'details': 'On systems that ran Nix 2.30.0, audit any packages built during the vulnerable period, as builds may have executed with elevated privileges'}, {'action': 'Restrict Nix access if patching delayed', 'details': 'If immediate patching is not possible, restrict Nix invocation to trusted administrators only via file permissions and sudo rules'}]
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | not-affected | macOS only |
| noble | not-affected | macOS only |
| plucky | not-affected | macOS only |
| upstream | not-affected | debian: Specific to MacOS |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 2.3.7+dfsg1-1 | - |
| bookworm | fixed | 2.8.0-1.1 | - |
| trixie | fixed | 2.26.3+dfsg-1 | - |
| forky, sid | fixed | 2.32.5+dfsg-2 | - |
| (unstable) | not-affected | - | - |
Share
External POC / Exploit Code
Leaving vuln.today