CVE-2024-45593 — Path Traversal in NIX

CWE-22 — Path Traversal5 documents4 sources

Severity

8.8HIGHNVD

OSV5.9

EPSS

0.4%

top 36.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nixos NIX Debian NIX

Timeline

PublishedSep 10

Latest updateJul 14

Description

Nix is a package manager for Linux and other Unix systems. A bug in Nix 2.24 prior to 2.24.6 allows a substituter or malicious user to craft a NAR that, when unpacked by Nix, causes Nix to write to arbitrary file system locations to which the Nix process has access. This will be with root permissions when using the Nix daemon. This issue is fixed in Nix 2.24.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDnixos/nix2.24.0 — 2.24.6

▶Ubuntunixos/nix< 2.6.0+dfsg-3ubuntu0.1~esm1+1

▶CVEListV5nixos/nix>= 2.24.0, < 2.24.6

▶debiandebian/nix

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

nix vulnerabilities↗2025-07-14

▶

OSV

CVE-2024-45593: Nix is a package manager for Linux and other Unix systems↗2024-09-10

▶

📋Vendor Advisories

Ubuntu

Nix vulnerabilities↗2025-07-14

▶

Debian

CVE-2024-45593: nix - Nix is a package manager for Linux and other Unix systems. A bug in Nix 2.24 pri...↗2024

▶