CVE-2025-54864

EPSS 0.1%
Veröffentlicht 12.08.2025 15:48:54
Zuletzt bearbeitet 22.09.2025 14:58:23
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be very taxing on the infrastructure when large evaluations are done, introducing potential denial of service attacks on the host running the evaluator. This issue has been patched by commit f7bda02. A workaround involves blocking /api/push-github and /api/push-gitea via a reverse proxy.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nixos ≫ Hydra Version < 2025-08-12

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.283

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/NixOS/hydra/security/advisories/GHSA-qpq3-646c-vgx9

Patch

Vendor Advisory

https://github.com/NixOS/hydra/commit/f7bda020c6144913f134ec616783e57817f7686f

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-54864

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-54864

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-54864

EUVD