{"id":"CVE-2024-36050","details":"Nix through 2.22.1 mishandles certain usage of hash caches, which makes it easier for attackers to replace current source code with attacker-controlled source code by luring a maintainer into accepting a malicious pull request.","modified":"2026-03-14T12:34:21.776760Z","published":"2024-05-18T22:15:07.460Z","references":[{"type":"WEB","url":"https://discourse.nixos.org/t/nixpkgs-supply-chain-security-project/34345"},{"type":"ADVISORY","url":"https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017/26"},{"type":"REPORT","url":"https://github.com/NixOS/nix/issues/969"},{"type":"REPORT","url":"https://github.com/NixOS/ofborg/issues/68#issuecomment-2082789441"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/NixOS/nix","events":[{"introduced":"0"},{"last_affected":"adba2f19a02eaa74336a06a026d3c37af8020559"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.22.1"}]}}],"versions":["1.0","1.1","1.10","1.11","1.11.1","1.2","1.3","1.4","1.5","1.5.1","1.5.2","1.5.3","1.6","1.6.1","1.7","1.8","1.9","2.0","2.2","2.22.0","2.22.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36050.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}]}