CVE-2025-32435

Summary

Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys, that are owned by the hydra-queue-runner and hydra-www users respectively.

Affected Software

VendorProductVersion RangeStatus
NixOShydra< 8d750265135b7e203520036a742afdf301b4013faffected

Weaknesses

  • CWE-95: CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References