Race Condition Vulnerability in Nix, Lix, and Guix Package Managers
CVE-2025-52993

5.6MEDIUM

Key Information:

Vendor: Nixos
Status: Nix
Vendor: CVE Published:; 27 June 2025

What is CVE-2025-52993?

A race condition in the Nix, Lix, and Guix package managers allows unauthorized modification of file ownership. Attackers can exploit this vulnerability to change the ownership of arbitrary files to that of the build user, potentially elevating privileges and compromising system integrity.

Affected Version(s)

Nix 0 < 2.24.15

Nix 2.25.0 < 2.26.4

Nix 2.27.0 < 2.28.4

References

https://discourse.nixos.org/t/security-advisory-privilege...

https://lix.systems/blog/2025-06-24-lix-cves/

https://guix.gnu.org/en/blog/2025/privilege-escalation-vu...

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 27, 2025
Vulnerability Reserved
Jun 23, 2025

CVE-2025-52993 Data

JSON

Nixos

What is CVE-2025-52993?

Affected Version(s)

References

CVSS V3.1

Timeline