Arbitrary Code Execution Vulnerability in Hydra Continuous Integration Service
CVE-2025-54800

7.1HIGH

Key Information:

Vendor: Nixos
Status: Hydra
Vendor: CVE Published:; 12 August 2025

What is CVE-2025-54800?

The Hydra continuous integration service for Nix-based projects is susceptible to a vulnerability that allows the injection of arbitrary JavaScript code via malicious packages. When these packages are built, the injected code can be executed in the client's browser upon visiting the build page, potentially compromising user security. This vulnerability occurs during the build process of third-party projects and can also affect other areas like hydra-release-name. The issue has been mitigated in the system by a recent commit, and users are advised to avoid building untrusted packages or to refrain from accessing the builds page to safeguard their security.

Affected Version(s)

hydra < dea1e168f590efb27db32dbacc82b09e15f8ae4b

References

https://github.com/NixOS/hydra/security/advisories/GHSA-7...

x_refsource_CONFIRM

https://github.com/NixOS/hydra/commit/dea1e168f590efb27db...

x_refsource_MISC

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2025
Vulnerability Reserved
Jul 29, 2025

CVE-2025-54800 Data

JSON

Nixos

What is CVE-2025-54800?

Affected Version(s)

References

CVSS V4

Timeline