CVE-2024-36050 in Nix
Summary
by MITRE • 05/19/2024
Nix through 2.22.1 mishandles certain usage of hash caches, which makes it easier for attackers to replace current source code with attacker-controlled source code by luring a maintainer into accepting a malicious pull request.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/29/2025
The vulnerability identified as CVE-2024-36050 affects the Nix package manager version 2.22.1 and earlier, presenting a significant security risk through improper handling of hash caches. This flaw creates a pathway for attackers to manipulate source code integrity by exploiting the caching mechanism used during package builds. The vulnerability stems from how Nix manages cryptographic hashes in its cache system, which can be manipulated to substitute legitimate source code with malicious alternatives without detection.
The technical flaw manifests in the hash cache validation process where Nix fails to properly verify the authenticity of cached hash values. When a maintainer reviews a pull request containing malicious code, the system's hash cache mechanism may incorrectly accept compromised artifacts as valid, allowing attackers to bypass normal security checks. This represents a critical weakness in the supply chain security model, as it enables attackers to exploit human trust in the review process by leveraging automated system validation mechanisms.
The operational impact of this vulnerability extends beyond simple code substitution, creating potential for widespread compromise across Nix-based systems. Attackers can craft malicious pull requests that appear legitimate to automated systems but contain code that will execute with elevated privileges when integrated into the build process. The vulnerability particularly affects organizations relying on Nix for package management, as it undermines the integrity guarantees that make the system trustworthy for critical infrastructure deployments.
This vulnerability aligns with CWE-284 Access Control Bypass and maps to ATT&CK technique T1584 Compromise Infrastructure, as it enables attackers to establish persistent access through compromised package repositories. The flaw also relates to CWE-345 Insufficient Verification of Data Authenticity, highlighting the critical importance of proper cryptographic validation in package management systems. Organizations using Nix should implement immediate mitigations including disabling hash cache functionality during critical review processes, implementing additional verification steps, and establishing more rigorous pull request validation procedures to prevent unauthorized code injection.
The security implications of CVE-2024-36050 underscore the importance of maintaining proper cryptographic verification in software supply chain systems, particularly in package managers that rely heavily on hash-based integrity checks. This vulnerability demonstrates how seemingly minor cache management flaws can create significant security risks when combined with social engineering tactics that exploit human review processes. System administrators should prioritize updating to patched versions of Nix and implement additional security controls to prevent exploitation of this vulnerability in their environments.