CVE-2025-59378

Published: Sep 15, 2025

Modified: Sep 15, 2025

PUBLISHED

CVSS v3.1

5.7

MEDIUM

Description

In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended).

Vendor	Product	Versions
GNU	Guix	affected `0 - < 1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45`

Weaknesses (CWE)

CWE-669

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerability-2025-2/

https://codeberg.org/guix/guix/commit/1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-59378

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References