CVE-2024-45593 – This vulnerability in Nix package manager allow... (How to Fix)

📋 TL;DR

This vulnerability in Nix package manager allows attackers to write arbitrary files to any location the Nix process can access. When the Nix daemon runs with root permissions, this can lead to complete system compromise. All users running Nix 2.24 prior to 2.24.6 are affected.

💻 Affected Systems

Products:

Nix package manager

Versions: 2.24.0 through 2.24.5

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Most severe when Nix daemon runs with root permissions (common default configuration)

📦 What is this software?

Nix by Nixos

View all CVEs affecting Nix →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary file write as root, enabling remote code execution, persistence, and data theft

🟠

Likely Case

Local privilege escalation or unauthorized file modification when Nix daemon runs with elevated privileges

🟢

If Mitigated

Limited impact if Nix runs without daemon or with restricted permissions, but still allows unauthorized file writes

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to craft malicious NAR archives and have them processed by Nix

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.24.6

Vendor Advisory: https://github.com/NixOS/nix/security/advisories/GHSA-h4vv-h3jq-v493

Restart Required: Yes

Instructions:

1. Stop Nix daemon: sudo systemctl stop nix-daemon
2. Update Nix: nix-env -iA nixpkgs.nix
3. Restart Nix daemon: sudo systemctl start nix-daemon

🔧 Temporary Workarounds

Disable Nix daemon

linux

Run Nix without the daemon to prevent root-level exploitation

sudo systemctl stop nix-daemon
sudo systemctl disable nix-daemon

Restrict NAR sources

linux

Only use trusted substituters and disable untrusted NAR sources

nix.settings.substituters = [ "https://cache.nixos.org" ];
nix.settings.trusted-substituters = [ "https://cache.nixos.org" ];

🧯 If You Can't Patch

Run Nix without daemon using single-user mode
Implement strict access controls on Nix store and configuration directories

🔍 How to Verify

Check if Vulnerable:

Check Nix version: nix --version | grep -E '2\.24\.[0-5]'

Check Version:

nix --version

Verify Fix Applied:

Verify version is 2.24.6 or higher: nix --version

📡 Detection & Monitoring

Log Indicators:

Unusual NAR unpacking operations
File writes outside expected Nix store locations
Nix daemon process spawning unexpected child processes

Network Indicators:

Downloads from untrusted substituters
Unusual NAR archive transfers

SIEM Query:

process.name:"nix-daemon" AND file.path:!="/nix/store/*" AND file.operation:"write"

📊 Metadata

CVE ID: CVE-2024-45593

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-22

Published: September 10, 2024

Last Updated: January 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45593, you might also want to check these: