Skip to main content

Nix Package Manager EUVDEUVD-2026-27166

| CVE-2026-44029 MEDIUM
Absolute Path Traversal (CWE-36)
2026-05-05 cve@mitre.org
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
May 05, 2026 - 02:01 EUVD
Analysis Generated
May 05, 2026 - 01:30 vuln.today

DescriptionCVE.org

An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7);

AnalysisAI

Arbitrary file writing via directory traversal in Nix versions before 2.34.7 allows unauthenticated remote attackers to overwrite files on systems running vulnerable versions of nix-prefetch-url or nix store prefetch-file with the --unpack flag. The vulnerability exploits improper path validation during archive extraction, enabling an attacker to craft malicious packages that write to arbitrary filesystem locations when unpacked. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N) reflects network-based exploitation without authentication, though real-world impact depends on file permissions and deployment context. No active exploitation has been confirmed in CISA KEV at time of analysis.

Technical ContextAI

The Nix package manager uses nix-prefetch-url and nix store prefetch-file commands to download and extract package sources. When the --unpack flag is used, these tools decompress archives (tar, zip, etc.) without properly validating path traversal sequences (e.g., '../' or absolute paths) within archive entries. This is a classic CWE-36 (Absolute Path Traversal) vulnerability. An attacker controlling the upstream source URL or intercepting the download can embed malicious paths in a crafted archive; when extracted, these paths bypass intended extraction directories and write files elsewhere on the filesystem. The vulnerability affects Nix versions from 2.24.7 through 2.34.6 and related stable release branches (2.33.x, 2.32.x, 2.31.x, 2.30.x, 2.29.x, 2.28.x).

RemediationAI

Apply security patches immediately: upgrade to Nix 2.34.7 or later, or apply the specific fixed versions for your branch: 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, or 2.28.7. Patches are available from the NixOS GitHub repository (https://github.com/NixOS/nix/security/advisories/GHSA-gr92-w2r5-qw5p) and the NixOS security advisory (https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407). Until patched, restrict use of nix-prefetch-url and nix store prefetch-file with --unpack flags to trusted, internally-controlled sources only; disable automated prefetch operations that target external or untrusted package sources in CI/CD pipelines. Consider pinning to specific, pre-verified archive hashes and avoiding dynamic source fetching until patched. These workarounds reduce but do not eliminate risk if source compromise is a concern.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-27166 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy