CVE-2025-53819
📋 TL;DR
Nix 2.30.0 on macOS executes builds with root privileges instead of designated build users, allowing malicious build scripts to gain full system control. This affects macOS users running Nix 2.30.0 for package builds. The vulnerability stems from improper privilege separation during build execution.
💻 Affected Systems
- Nix package manager
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via malicious build scripts executing arbitrary code as root, leading to data theft, persistence installation, or system destruction.
Likely Case
Build-time supply chain attacks where malicious packages gain root access during installation, potentially compromising the entire system.
If Mitigated
Limited impact if builds only use trusted packages and scripts, though privilege escalation risk remains.
🎯 Exploit Status
Exploitation requires building packages with Nix 2.30.0 on macOS. The vulnerability is in the build execution mechanism itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.30.1
Vendor Advisory: https://github.com/NixOS/nix/security/advisories/GHSA-qc7j-jgf3-qmhg
Restart Required: No
Instructions:
1. Update Nix to version 2.30.1 or later using your package manager. 2. For macOS: Run 'nix-env -iA nixpkgs.nix' or use the official installer. 3. Verify the update with 'nix --version'.
🔧 Temporary Workarounds
No known workarounds
allThe advisory states no workarounds are available. Immediate patching is required.
🧯 If You Can't Patch
- Avoid building packages with Nix 2.30.0 on macOS until patched
- Use Linux or other Unix systems for builds instead of macOS
🔍 How to Verify
Check if Vulnerable:
Check if running Nix 2.30.0 on macOS: Run 'nix --version' and verify OS is macOS.Check Version:
nix --versionVerify Fix Applied:
Confirm Nix version is 2.30.1 or later with 'nix --version' and ensure macOS builds now use proper build users.📡 Detection & Monitoring
Log Indicators:
- Build logs showing processes running as root instead of build users
- Unexpected root privilege usage during package builds
Network Indicators:
- Not applicable - local vulnerability
SIEM Query:
Not applicable - primarily local build process issue