CVE-2025-54800

Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-party project as part of its build process. This also happens in other places like with hydra-release-name. This issue has been patched by commit dea1e16. A workaround involves either not building untrusted packages or not visiting the builds page.

CVSS

No CVSS.

References

Link	Resource
https://github.com/NixOS/hydra/commit/dea1e168f590efb27db32dbacc82b09e15f8ae4b
https://github.com/NixOS/hydra/security/advisories/GHSA-7qwg-q53v-vh99

Configurations

No configuration.

History

13 Aug 2025, 17:34

Type	Values Removed	Values Added
Summary		(es) Hydra es un servicio de integración continua para proyectos basados en Nix. Antes del commit dea1e16, un paquete malicioso podía introducir código JavaScript arbitrario en la base de datos de Hydra, que se evaluaba automáticamente en el navegador del cliente al visitar la página de compilación. Esto podría ser realizado por un proyecto de terceros como parte de su proceso de compilación. Esto también ocurre en otros lugares, como con hydra-release-name. Este problema se ha corregido con el commit dea1e16. Una solución alternativa consiste en no compilar paquetes no confiables o no visitar la página de compilaciones.

12 Aug 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-12 16:15

Updated : 2025-08-13 17:34

NVD link : CVE-2025-54800

Mitre link : CVE-2025-54800

CVE.ORG link : CVE-2025-54800

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-54800", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-12T16:15:28.170", "references": [{"url": "https://github.com/NixOS/hydra/commit/dea1e168f590efb27db32dbacc82b09e15f8ae4b", "source": "security-advisories@github.com"}, {"url": "https://github.com/NixOS/hydra/security/advisories/GHSA-7qwg-q53v-vh99", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-party project as part of its build process. This also happens in other places like with hydra-release-name. This issue has been patched by commit dea1e16. A workaround involves either not building untrusted packages or not visiting the builds page."}, {"lang": "es", "value": "Hydra es un servicio de integraci\u00f3n continua para proyectos basados en Nix. Antes del commit dea1e16, un paquete malicioso pod\u00eda introducir c\u00f3digo JavaScript arbitrario en la base de datos de Hydra, que se evaluaba autom\u00e1ticamente en el navegador del cliente al visitar la p\u00e1gina de compilaci\u00f3n. Esto podr\u00eda ser realizado por un proyecto de terceros como parte de su proceso de compilaci\u00f3n. Esto tambi\u00e9n ocurre en otros lugares, como con hydra-release-name. Este problema se ha corregido con el commit dea1e16. Una soluci\u00f3n alternativa consiste en no compilar paquetes no confiables o no visitar la p\u00e1gina de compilaciones."}], "lastModified": "2025-08-13T17:34:12.350", "sourceIdentifier": "security-advisories@github.com"}