Race Condition in Nix, Lix, and Guix Package Managers Affects File Integrity
CVE-2025-46415

3.2LOW

Key Information:

Vendor

Nixos

Status
Nix
Vendor
CVE Published:
27 June 2025

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-46415?

CVE-2025-46415 is a vulnerability found in the Nix, Lix, and Guix package managers, which are tools designed for managing software packages in diverse computing environments. These package managers facilitate the installation, configuration, and management of software systems, ensuring that users can maintain the desired software state efficiently. However, this particular vulnerability manifests as a race condition, allowing an attacker to exploit the timing of operations within these package managers. When successfully exploited, this vulnerability can lead to the unauthorized removal of content from arbitrary directories, effectively compromising the integrity and availability of files within an organization's environment.

The affected versions of these package managers include Nix versions prior to 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. Organizations relying on these tools without the necessary updates exposed themselves to significant risks, as this vulnerability can facilitate unauthorized file deletions that directly impact operational continuity.

Potential impact of CVE-2025-46415

  1. Data Integrity Compromise: The primary risk associated with CVE-2025-46415 is the potential for unauthorized deletion of critical files. This directly undermines the integrity of the data managed by an organization, leading to possible data loss and disrupting business operations.

  2. Operational Disruption: Given that the affected package managers are fundamental in maintaining software configuration, the ability to remove content from arbitrary folders can lead to system instability and operational downtime. This disruption can severely impact the organization's ability to deliver services and maintain productivity.

  3. Increased Attack Surface: The exploitation of this vulnerability can pave the way for further malicious activities, as the ability to modify or delete files may allow attackers to implant malware or establish persistence mechanisms within the system. This escalation of attacks poses a greater risk to cybersecurity and may open avenues for more severe compromises within an organization's infrastructure.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Nix 0 < 2.24.15

Nix 2.25.0 < 2.26.4

Nix 2.27.0 < 2.28.4

News Articles

favicon imageVulert

Race Condition Vulnerability in Guix Package Manager Allows Arbitrary Content Removal

Learn about CVE-2025-46415, a race condition vulnerability in Guix, Nix, and Lix package managers that allows arbitrary content removal. Find out how to fix it and check your application for vulnerabilities.

favicon imageNixOS Discourse

Security Advisory: Privilege Escalations in Nix, Lix and Guix - Announcements / Security - NixOS Discourse

Summary This advisory follows up on the pre-announcement made last week. Nix and Lix are affected by a set of issues that can be combined to achieve root privilege escalation. These issues are identified as: CVE-2025-&hellip;

References

https://discourse.nixos.org/t/security-advisory-privilege...
https://lix.systems/blog/2025-06-24-lix-cves/
https://guix.gnu.org/en/blog/2025/privilege-escalation-vu...

CVSS V3.1

Score:
3.2
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • 📰

    First article discovered by lix.systems

  • Vulnerability Reserved

JSON
.