Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-54864

Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be very taxing on the infrastructure when large evaluations are done, introducing potential denial of service attacks on the host running the evaluator. This issue has been patched by commit f7bda02. A workaround involves blocking /api/push-github and /api/push-gitea via a reverse proxy.

Published

2025-08-12T16:15:28.337

Last Modified

2025-09-22T14:58:23.957

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-306

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nixos	hydra	< 2025-08-12	Yes

References

https://github.com/NixOS/hydra/commit/f7bda020c6144913f134ec616783e57817f7686f Patch ([email protected])
https://github.com/NixOS/hydra/security/advisories/GHSA-qpq3-646c-vgx9 Patch, Vendor Advisory ([email protected])