CVE-2025-54864

EPSS 0.1%
Published 12.08.2025 15:48:54
Last modified 22.09.2025 14:58:23
Source security-advisories@github.com
Teams watchlist Login
Open Login

Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be very taxing on the infrastructure when large evaluations are done, introducing potential denial of service attacks on the host running the evaluator. This issue has been patched by commit f7bda02. A workaround involves blocking /api/push-github and /api/push-gitea via a reverse proxy.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Nixos ≫ Hydra Version < 2025-08-12

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.1%	0.283

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/NixOS/hydra/security/advisories/GHSA-qpq3-646c-vgx9

Patch

Vendor Advisory

https://github.com/NixOS/hydra/commit/f7bda020c6144913f134ec616783e57817f7686f

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-54864

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-54864

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-54864

EUVD