CVE-2025-59378

CWE-6695 documents5 sources

Severity

5.7MEDIUM

EPSS

0.0%

top 95.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Guix

Timeline

PublishedSep 15

Description

In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended).

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 2.5 | Impact: 2.7

Affected Packages1 packages

▶CVEListV5gnu/guix< 1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45

🔴Vulnerability Details

CVEList

CVE-2025-59378: In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to ga↗2025-09-15

▶

GHSA

GHSA-75hx-v6j6-m6h7: In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to ga↗2025-09-15

▶

OSV

CVE-2025-59378: In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to ga↗2025-09-15

▶

📋Vendor Advisories

Debian

CVE-2025-59378: guix - In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can ...↗2025

▶