CVE-2025-54800

Name
CVE-2025-54800
Description
Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-party project as part of its build process. This also happens in other places like with hydra-release-name. This issue has been patched by commit dea1e16. A workaround involves either not building untrusted packages or not visiting the builds page.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/NixOS/hydra/commit/dea1e168f590efb27db32dbacc82b09e15f8ae4b
CONFIRM https://github.com/NixOS/hydra/security/advisories/GHSA-7qwg-q53v-vh99

Match rules

CPE URI Source package Min version Max version
hydra >= 0 < dea1e168f590efb27db32dbacc82b09e15f8ae4b
cpe:2.3:a:nixos:hydra:*:*:*:*:*:*:*:* hydra >= None < 2025-08-12

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
hydra edge-community 9.5-r1 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
hydra 3.22-community 9.5-r1 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
hydra edge-community 9.6-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
hydra edge-community 9.6-r1 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable