Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7);
AnalysisAI
Arbitrary file writing via directory traversal in Nix versions before 2.34.7 allows unauthenticated remote attackers to overwrite files on systems running vulnerable versions of nix-prefetch-url or nix store prefetch-file with the --unpack flag. The vulnerability exploits improper path validation during archive extraction, enabling an attacker to craft malicious packages that write to arbitrary filesystem locations when unpacked. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N) reflects network-based exploitation without authentication, though real-world impact depends on file permissions and deployment context. No active exploitation has been confirmed in CISA KEV at time of analysis.
Technical ContextAI
The Nix package manager uses nix-prefetch-url and nix store prefetch-file commands to download and extract package sources. When the --unpack flag is used, these tools decompress archives (tar, zip, etc.) without properly validating path traversal sequences (e.g., '../' or absolute paths) within archive entries. This is a classic CWE-36 (Absolute Path Traversal) vulnerability. An attacker controlling the upstream source URL or intercepting the download can embed malicious paths in a crafted archive; when extracted, these paths bypass intended extraction directories and write files elsewhere on the filesystem. The vulnerability affects Nix versions from 2.24.7 through 2.34.6 and related stable release branches (2.33.x, 2.32.x, 2.31.x, 2.30.x, 2.29.x, 2.28.x).
RemediationAI
Apply security patches immediately: upgrade to Nix 2.34.7 or later, or apply the specific fixed versions for your branch: 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, or 2.28.7. Patches are available from the NixOS GitHub repository (https://github.com/NixOS/nix/security/advisories/GHSA-gr92-w2r5-qw5p) and the NixOS security advisory (https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407). Until patched, restrict use of nix-prefetch-url and nix store prefetch-file with --unpack flags to trusted, internally-controlled sources only; disable automated prefetch operations that target external or untrusted package sources in CI/CD pipelines. Consider pinning to specific, pre-verified archive hashes and avoiding dynamic source fetching until patched. These workarounds reduce but do not eliminate risk if source compromise is a concern.
Same weakness CWE-36 – Absolute Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27166