NixOS Captive Browser Privilege Escalation Vulnerability

A vulnerability in the NixOS captive browser module, present in versions through 25.05, allows any user to execute arbitrary commands with the CAP_NET_RAW capability. This could be exploited to bind to privileged ports or spoof localhost traffic from services running with elevated privileges. The issue arises when the captive browser feature is enabled, creating a potential security risk by allowing unauthorized command execution with network-related capabilities.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing users to execute commands with the CAP_NET_RAW capability, which could be used to manipulate network traffic or bind to privileged ports.

Remediation

Users can upgrade to NixOS versions 25.11 or 26.05, where this vulnerability has been patched. Alternatively, the captive browser module can be disabled, or the 'config.security.wrappers.udhcpc.enable' option can be set to false in the NixOS configuration.