Race Condition Vulnerability in Nix, Lix, and Guix Package Managers
CVE-2025-52993

5.6MEDIUM

Key Information:

Vendor: Nixos
Status: Nix
Vendor: CVE Published:; 27 June 2025

What is CVE-2025-52993?

A race condition in the Nix, Lix, and Guix package managers allows unauthorized modification of file ownership. Attackers can exploit this vulnerability to change the ownership of arbitrary files to that of the build user, potentially elevating privileges and compromising system integrity.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Nix 0 < 2.24.15

Nix 2.25.0 < 2.26.4

Nix 2.27.0 < 2.28.4

References

https://discourse.nixos.org/t/security-advisory-privilege...

https://lix.systems/blog/2025-06-24-lix-cves/

https://guix.gnu.org/en/blog/2025/privilege-escalation-vu...

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jun 27, 2025
Vulnerability Reserved
Jun 23, 2025

JSON

Nixos