QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-54800

Back to search

CVE-2025-54800

Published: Aug 12, 2025

Modified: Aug 12, 2025

PUBLISHED

Description

Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-party project as part of its build process. This also happens in other places like with hydra-release-name. This issue has been patched by commit dea1e16. A workaround involves either not building untrusted packages or not visiting the builds page.

VendorProductVersions

NixOS

hydra

affected
< dea1e168f590efb27db32dbacc82b09e15f8ae4b

Weaknesses (CWE)

CWE-79

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now