CVE-2025-54800

Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-party project as part of its build process. This also happens in other places like with hydra-release-name. This issue has been patched by commit dea1e16. A workaround involves either not building untrusted packages or not visiting the builds page.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/NixOS/hydra/commit/dea1e168f590efb27db32dbacc82b09e15f8ae4b	Patch
https://github.com/NixOS/hydra/security/advisories/GHSA-7qwg-q53v-vh99	Vendor Advisory Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:nixos:hydra:*:*:*:*:*:*:*:*

History

22 Sep 2025, 14:57

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
References	~~() https://github.com/NixOS/hydra/commit/dea1e168f590efb27db32dbacc82b09e15f8ae4b -~~	() https://github.com/NixOS/hydra/commit/dea1e168f590efb27db32dbacc82b09e15f8ae4b - Patch
References	~~() https://github.com/NixOS/hydra/security/advisories/GHSA-7qwg-q53v-vh99 -~~	() https://github.com/NixOS/hydra/security/advisories/GHSA-7qwg-q53v-vh99 - Vendor Advisory, Patch
CPE		cpe:2.3:a:nixos:hydra::::::::
First Time		Nixos hydra Nixos

13 Aug 2025, 17:34

Type	Values Removed	Values Added
Summary		(es) Hydra es un servicio de integración continua para proyectos basados en Nix. Antes del commit dea1e16, un paquete malicioso podía introducir código JavaScript arbitrario en la base de datos de Hydra, que se evaluaba automáticamente en el navegador del cliente al visitar la página de compilación. Esto podría ser realizado por un proyecto de terceros como parte de su proceso de compilación. Esto también ocurre en otros lugares, como con hydra-release-name. Este problema se ha corregido con el commit dea1e16. Una solución alternativa consiste en no compilar paquetes no confiables o no visitar la página de compilaciones.

12 Aug 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-12 16:15

Updated : 2025-09-22 14:57

NVD link : CVE-2025-54800

Mitre link : CVE-2025-54800

CVE.ORG link : CVE-2025-54800

JSON object : View

Products Affected

nixos

hydra

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10