{"id":"CVE-2025-32435","summary":"Hydra no restricted eval after nix-eval-jobs migration","details":"Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys, that are owned by the hydra-queue-runner and hydra-www users respectively.","aliases":["GHSA-j7w7-965w-vjxw"],"modified":"2026-04-10T05:25:53.860866Z","published":"2025-04-15T22:19:46.856Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32435.json","cwe_ids":["CWE-95"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/nix-community/nix-eval-jobs/releases/tag/v2.28.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32435.json"},{"type":"ADVISORY","url":"https://github.com/NixOS/hydra/security/advisories/GHSA-j7w7-965w-vjxw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32435"},{"type":"FIX","url":"https://github.com/NixOS/hydra/commit/8d750265135b7e203520036a742afdf301b4013f"},{"type":"FIX","url":"https://github.com/NixOS/nixpkgs/pull/397919"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nixos/hydra","events":[{"introduced":"0"},{"fixed":"8d750265135b7e203520036a742afdf301b4013f"}]},{"type":"GIT","repo":"https://github.com/nixos/nix-eval-jobs","events":[{"introduced":"0"},{"fixed":"e376e07271dd405d5427e2dd4a29864fb5347f34"}]}],"versions":["v0.0.1","v0.0.2","v0.0.3","v0.0.4","v0.0.6","v2.12.0","v2.12.1","v2.14.0","v2.17.0","v2.17.1","v2.18.0","v2.21.0","v2.22.1","v2.23.0","v2.24.0","v2.24.1","v2.25.0","v2.26.0","v2.27.0","v2.28.0","v2.9.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2025-04-11"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32435.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"}]}