CVE-2025-59378

Summary

In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended).

Affected Software

VendorProductVersion RangeStatus
GNUGuix0 < 1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45affected

Weaknesses

  • CWE-669: CWE-669 Incorrect Resource Transfer Between Spheres

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References