CVE-2025-52992 — Incorrect Permission Assignment in Guix

CWE-732 — Incorrect Permission Assignment4 documents4 sources

Severity

3.2LOWNVD

EPSS

0.0%

top 94.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nixos NIX Debian Guix

Timeline

PublishedJun 27

Description

The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the content of a store outside of the build sandbox. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:NExploitability: 1.4 | Impact: 1.4

Affected Packages2 packages

▶debiandebian/guix

▶CVEListV5nixos/nix2.25.0 — 2.26.4+3

🔴Vulnerability Details

GHSA

GHSA-wcw8-hffm-7w9g: The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails↗2025-06-27

▶

OSV

CVE-2025-52992: The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails↗2025-06-27

▶

📋Vendor Advisories

Debian

CVE-2025-52992: guix - The Nix, Lix, and Guix package managers fail to properly set permissions when a ...↗2025

▶