CVE-2025-32435 LOW

CVE-2025-32435: Hydra no restricted eval after nix-eval-jobs migration

Vendor Nixos
Product hydra
Weakness CWE-95 · Eval injection
Published April 15, 2025
Last update April 16, 2025

CVSS base score

2.6/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys, that are owned by the hydra-queue-runner and hydra-www users respectively.

Key dates

02Disclosure timeline

April 15, 2025 CVE published
April 16, 2025 Record updated

Related vulnerabilities

04Related CVE