Primary

Context

NixOS Hydra Continuous Integration Service Secret Exposure Vulnerability

Vulnerability

A vulnerability in the NixOS Hydra Continuous Integration service allows untrusted non-flake Nix code to potentially access secrets available to the hydra user or group. This issue does not impact signing keys held by the hydra-queue-runner and hydra-www users.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, specifically secrets accessible by the hydra user or group.

Remediation

Users can migrate their inputs to flakes, which are evaluated purely. Additionally, Hydra has been updated to version 2.28.1, which restores the 'restricted-eval' option, allowing for safer evaluations.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.9

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.9

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NixOS Hydra Continuous Integration Service Secret Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating