CVE-2024-27297 in nixinfo

Summary

by MITRE • 03/12/2024

Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as "valid" and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2025

The vulnerability identified as CVE-2024-27297 affects the Nix package manager ecosystem, specifically targeting fixed-output derivations on Linux systems within the abstract namespace of Unix domain sockets. This flaw represents a critical security weakness that undermines the integrity and immutability guarantees that Nix systems rely upon for secure software delivery and reproducible builds. The vulnerability exists in the way Nix handles file descriptor passing mechanisms during fixed-output derivation execution, creating an attack surface where malicious actors can manipulate the output of derivations after they have been marked as valid and immutable within the Nix database.

The technical exploitation of this vulnerability occurs through a sophisticated attack vector involving Unix domain sockets in the abstract namespace. Attackers can leverage this mechanism to send file descriptors pointing to files within the Nix store to other programs running on the same host or within other fixed-output derivations. This capability allows for post-execution modification of derivation outputs, effectively bypassing Nix's integrity checks and immutable storage guarantees. The vulnerability specifically targets the validation process where Nix registers paths as "valid" and immutable, creating a window of opportunity for attackers to modify content after the system has already accepted it as legitimate.

The operational impact of this vulnerability extends beyond simple data corruption, fundamentally compromising the trust model that Nix systems depend upon for secure package management. When fixed-output derivations are modified after registration, it breaks the reproducibility guarantees that make Nix valuable for enterprise and development environments. This vulnerability affects the core integrity mechanisms of the Nix store, potentially allowing attackers to inject malicious code or alter package contents in ways that could persist across system updates and deployments. The implications are particularly severe for environments where Nix is used for critical infrastructure management or security-sensitive applications where package integrity is paramount.

This vulnerability aligns with CWE-345 Insufficient Verification of Data Authenticity, as it involves the failure to properly verify the authenticity of derivation outputs after they have been registered as valid within the Nix database. The issue also relates to ATT&CK technique T1059 Command and Scripting Interpreter, specifically through the manipulation of file descriptors to achieve unauthorized access to system resources. Additionally, it maps to ATT&CK technique T1553 File System Permissions and Access Controls, as it exploits improper access control mechanisms within the Nix store's file descriptor handling. The vulnerability demonstrates a clear failure in the principle of least privilege and proper access control enforcement within the Nix package management system.

The fix for CVE-2024-27297 has been implemented in versions 2.3.18, 2.18.2, 2.19.4, and 2.20.5 of the Nix package manager, addressing the core issue of improper file descriptor handling in fixed-output derivations. These updates implement stronger validation mechanisms that prevent the passing of file descriptors to the Nix store after derivation registration, effectively closing the attack vector that enabled this vulnerability. Organizations using Nix systems should immediately upgrade to one of these patched versions to mitigate the risk of exploitation. The absence of known workarounds indicates that this vulnerability requires a proper software update to resolve, as the underlying architectural issue cannot be addressed through configuration changes or temporary mitigations. System administrators should prioritize this upgrade across all Nix-managed environments, particularly those handling sensitive or security-critical packages where the integrity of derivation outputs is essential for maintaining system security.

Responsible

GitHub, Inc.

Reservation

02/22/2024

Disclosure

03/12/2024

Moderation

accepted

CPE

ready

EPSS

0.00586

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!