CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-36050: Nix through 2.22.1 mishandles certain usage of hash caches, which makes it easier for attackers to replace current source code with...

Description

Nix through 2.22.1 mishandles certain usage of hash caches, which makes it easier for attackers to replace current source code with attacker-controlled source code by luring a maintainer into accepting a malicious pull request.

Classification

CVE ID: CVE-2024-36050

Affected Products

Vendor: n/a

Product: n/a

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.45% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://github.com/NixOS/nix/issues/969
https://github.com/NixOS/ofborg/issues/68#issuecomment-2082789441
https://discourse.nixos.org/t/nixpkgs-supply-chain-security-project/34345

Timeline

2025-02-14 00:32:16 UTC
CVE

Nix through 2.22.1 mishandles certain usage of hash caches, which makes it easier for attackers to replace current source code with...