Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Nix is a package manager for Linux and other Unix systems. Builds with Nix 2.30.0 on macOS were executed with elevated privileges (root), instead of the build users. The fix was applied to Nix 2.30.1. No known workarounds are available.
AnalysisAI
CVE-2025-53819 is a privilege escalation vulnerability in Nix 2.30.0 on macOS where package builds are incorrectly executed with root privileges instead of restricted build user accounts. This affects macOS systems running Nix 2.30.0, allowing local attackers with standard user privileges to execute arbitrary code with root-level access during package builds. The vulnerability was patched in Nix 2.30.1, and no public exploits or known workarounds are currently available, though the high CVSS score (7.9) reflects the severity of privilege escalation with potential system-wide impact.
Technical ContextAI
Nix is a purely functional package manager that uses declarative configuration and implements multi-user build isolation through dedicated unprivileged build users. The vulnerability stems from CWE-271 (Improper Privilege Management), indicating a flaw in the privilege dropping mechanism on macOS. On Unix-like systems, Nix normally spawns builds under restricted user accounts to sandbox package builds and prevent malicious or buggy build scripts from gaining system access. The macOS implementation in version 2.30.0 failed to properly enforce this user context switching, causing build processes to execute with the invoking user's privileges (potentially root if sudo was used, or with elevated capabilities) rather than the intended unprivileged build user. This is specific to the macOS platform; Linux builds were not affected. The affected CPE scope includes nix-package-manager versions 2.30.0 on macOS systems (cpe:2.3:a:nixos:nix:2.30.0:*:*:*:*:macos:*:*).
RemediationAI
{'action': 'Upgrade Nix immediately', 'details': "Update from Nix 2.30.0 to Nix 2.30.1 or later. On macOS systems, run 'nix upgrade-nix' or reinstall via the official installer from https://nixos.org/download.html"} {'action': 'Verify patch installation', 'details': "Confirm version with 'nix --version' and ensure output shows 2.30.1 or higher"} {'action': 'No workarounds available', 'details': 'The vendor explicitly noted no known workarounds; patching is the only mitigation'} {'action': 'Review build audit logs', 'details': 'On systems that ran Nix 2.30.0, audit any packages built during the vulnerable period, as builds may have executed with elevated privileges'} {'action': 'Restrict Nix access if patching delayed', 'details': 'If immediate patching is not possible, restrict Nix invocation to trusted administrators only via file permissions and sudo rules'}
An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility develope
A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability
Apple's kernel across all platforms (iOS, macOS, watchOS, visionOS, tvOS) contains a memory corruption vulnerability (CV
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
The issue was addressed with improved checks. Rated high severity (CVSS 7.0). Actively exploited in the wild (cisa kev)
A logic issue was addressed with improved restrictions. Rated high severity (CVSS 7.8), this vulnerability is no authent
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environmen
A race condition was addressed with additional validation. Rated high severity (CVSS 7.0), this vulnerability is no auth
This issue was addressed with improved checks. Rated critical severity (CVSS 10.0), this vulnerability is remotely explo
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data t
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the
Same weakness CWE-271 – Privilege Dropping / Lowering Errors
View allSame technique Information Disclosure
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | not-affected | macOS only |
| noble | not-affected | macOS only |
| plucky | not-affected | macOS only |
| upstream | not-affected | debian: Specific to MacOS |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 2.3.7+dfsg1-1 | - |
| bookworm | fixed | 2.8.0-1.1 | - |
| trixie | fixed | 2.26.3+dfsg-1 | - |
| forky, sid | fixed | 2.32.5+dfsg-2 | - |
| (unstable) | not-affected | - | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-21392