CVE-2025-52993
📋 TL;DR
A race condition vulnerability in Nix, Lix, and Guix package managers allows attackers to change ownership of arbitrary files to the build user's UID/GID. This affects users running vulnerable versions of these package managers, potentially enabling privilege escalation. The vulnerability stems from improper synchronization during file operations.
💻 Affected Systems
- Nix
- Lix
- Guix
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through privilege escalation to root, allowing attackers to modify critical system files, install backdoors, or access sensitive data.
Likely Case
Local privilege escalation allowing attackers to gain build user privileges and potentially modify files owned by that user, leading to further exploitation.
If Mitigated
Limited impact if build users have minimal privileges and file permissions are properly configured, though arbitrary file ownership changes remain possible.
🎯 Exploit Status
Exploitation requires local access and knowledge of race condition timing. No public exploit code has been released as of the advisory dates.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Nix 2.24.15, 2.26.4, 2.28.4, 2.29.1 or later; Lix 2.91.2, 2.92.2, 2.93.1 or later; Guix 1.4.0-38.0e79d5b or later
Vendor Advisory: https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017
Restart Required: No
Instructions:
1. Update Nix: nix-env --upgrade; 2. Update Lix: lix upgrade; 3. Update Guix: guix pull && guix package -u
🔧 Temporary Workarounds
Restrict build user privileges
linuxLimit the capabilities and file access of nixbld* and guixbuild* users to reduce impact if exploited
sudo chmod 700 /nix/store
sudo setfacl -m u:nixbld:r-x /nix/store
Isolate build environments
linuxRun package builds in isolated containers or VMs to contain potential privilege escalation
docker run --rm -v /nix:/nix nixos/nix nix-build
🧯 If You Can't Patch
- Restrict shell access to users who don't need package manager privileges
- Monitor file ownership changes in /nix/store and other package manager directories
🔍 How to Verify
Check if Vulnerable:
Check package manager version: nix --version, lix --version, or guix --version and compare against patched versionsCheck Version:
nix --version 2>/dev/null || lix --version 2>/dev/null || guix --version 2>/dev/nullVerify Fix Applied:
Verify version is at or above patched versions and test basic package operations work correctly📡 Detection & Monitoring
Log Indicators:
- Unexpected file ownership changes in /nix/store or package directories
- Multiple rapid file operations by build users
- Failed privilege escalation attempts
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
source=*audit* (event_type=chown OR event_type=setxattr) AND user=nixbld*🔗 References
- https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017
- https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/
- https://labs.snyk.io
- https://lix.systems/blog/2025-06-24-lix-cves/
- https://security-tracker.debian.org/tracker/CVE-2025-52993
- https://security.snyk.io/vuln/?search=CVE-2025-52993
