Arbitrary Code Execution Vulnerability in Hydra CI Service by NixOS
CVE-2025-32435

2.6LOW

Key Information:

Vendor

Nixos

Status
Hydra
Vendor
CVE Published:
15 April 2025

What is CVE-2025-32435?

Hydra is a Continuous Integration service designed for Nix-based projects. A security concern has been identified allowing the evaluation of untrusted non-flake Nix code, which could potentially lead to unauthorized access to sensitive secrets maintained by the hydra user/group. While this vulnerability does not affect signing keys owned by the hydra-queue-runner and hydra-www users, it poses a risk to the integrity and confidentiality of sensitive data within the Hydra CI environment. Security measures should be implemented to prevent exposure to such vulnerabilities.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

hydra < 8d750265135b7e203520036a742afdf301b4013f

References

https://github.com/NixOS/hydra/security/advisories/GHSA-j...
x_refsource_CONFIRM
https://github.com/NixOS/nixpkgs/pull/397919
x_refsource_MISC
https://github.com/NixOS/hydra/commit/8d750265135b7e20352...
x_refsource_MISC

CVSS V3.1

Score:
2.6
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.