CVE-2025-54864

Name

CVE-2025-54864

Description

Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be very taxing on the infrastructure when large evaluations are done, introducing potential denial of service attacks on the host running the evaluator. This issue has been patched by commit f7bda02. A workaround involves blocking /api/push-github and /api/push-gitea via a reverse proxy.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/NixOS/hydra/commit/f7bda020c6144913f134ec616783e57817f7686f
CONFIRM	https://github.com/NixOS/hydra/security/advisories/GHSA-qpq3-646c-vgx9

CPE URI	Source package	Min version	Max version
	hydra	>= 0	< f7bda020c6144913f134ec616783e57817f7686f
`cpe:2.3:a:nixos:hydra::::::::`	hydra	>= None	< 2025-08-12

Source package	Branch	Version	Maintainer	Status
hydra	edge-community	9.6-r1	Patrycja Rosa <alpine@ptrcnull.me>	possibly vulnerable
hydra	edge-community	9.6-r0	Patrycja Rosa <alpine@ptrcnull.me>	possibly vulnerable
hydra	edge-community	9.5-r1	Patrycja Rosa <alpine@ptrcnull.me>	possibly vulnerable
hydra	3.22-community	9.5-r1	Patrycja Rosa <alpine@ptrcnull.me>	possibly vulnerable

References

Match rules

Vulnerable and fixed packages