CVE-2025-54800
CVE-2025-54800 is a medium-severity vulnerability in Nixos Hydra with a CVSS 3.x base score of 6.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-79.
Key facts
- Severity: Medium (CVSS 3.x base score 6.1)
- CVSS v4: 7.1
- EPSS exploit prediction: 0% (9th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-24268
- Weakness: CWE-79
- Affected product: Nixos Hydra
- Published:
- Last modified:
Description
Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-party project as part of its build process. This also happens in other places like with hydra-release-name. This issue has been patched by commit dea1e16. A workaround involves either not building untrusted packages or not visiting the builds page.
Frequently asked questions
- What is CVE-2025-54800?
- Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-party project as part of its build process. This also happens in other places like with hydra-release-name. This issue has been patched by commit dea1e16. A workaround involves either not building untrusted packages or not visiting the builds page.
- How severe is CVE-2025-54800?
- CVE-2025-54800 has a CVSS 3.x base score of 6.1, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2025-54800 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (9th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-54800?
- CVE-2025-54800 affects Nixos Hydra. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-54800?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-54800 have an EU (EUVD) identifier?
- Yes. CVE-2025-54800 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-24268.
- When was CVE-2025-54800 published?
- CVE-2025-54800 was published on 2025-08-12 and last updated on 2026-06-17.
References
- https://github.com/NixOS/hydra/commit/dea1e168f590efb27db32dbacc82b09e15f8ae4b
- https://github.com/NixOS/hydra/security/advisories/GHSA-7qwg-q53v-vh99
Affected products (1)
- cpe:2.3:a:nixos:hydra:*:*:*:*:*:*:*:*
More vulnerabilities in Nixos Hydra
- CVE-2025-54864 — High (CVSS 7.5): Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and…
- CVE-2024-45049 — High (CVSS 7.5): Hydra is a Continuous Integration service for Nix based projects. It is possible to trigger evaluations in Hydra…
- CVE-2024-32657 — Medium (CVSS 4.6): Hydra is a Continuous Integration service for Nix based projects. Attackers can execute arbitrary code in the browser…
- CVE-2025-32435 — Low (CVSS 2.6): Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could…
All CVEs affecting Nixos Hydra →
Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities
- CVE-2025-49410 — Critical (CVSS 10.0): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu TC…
- CVE-2024-47875 — Critical (CVSS 10.0): DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to…
- CVE-2024-6886 — Critical (CVSS 10.0): Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea…
- CVE-2023-45144 — Critical (CVSS 10.0): com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on…
- CVE-2023-45138 — Critical (CVSS 10.0): Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly.…
- CVE-2022-4361 — Critical (CVSS 10.0): Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the…
Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →