CVE-2025-59378 MEDIUM

CVE-2025-59378

Vendor Gnu
Product Guix
Weakness CWE-669
Published September 15, 2025
Last update September 15, 2025

CVSS base score

5.7/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended).

Key dates

02Disclosure timeline

September 15, 2025 CVE published
September 15, 2025 Record updated