CVE-2025-54864
📋 TL;DR
This vulnerability allows unauthenticated API calls to trigger resource-intensive evaluations in Hydra, potentially causing denial of service attacks. Any organization running vulnerable versions of Hydra with internet-facing API endpoints is affected. The issue stems from missing HTTP Basic authentication on forge webhook endpoints.
💻 Affected Systems
- Hydra (NixOS continuous integration service)
📦 What is this software?
Hydra by Nixos
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for the Hydra evaluation service, potentially affecting dependent CI/CD pipelines and development workflows.
Likely Case
Degraded performance or temporary unavailability of Hydra evaluation services during targeted attacks.
If Mitigated
Minimal impact with proper authentication controls and rate limiting in place.
🎯 Exploit Status
Exploitation requires only HTTP requests to vulnerable endpoints; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit f7bda02 or later
Vendor Advisory: https://github.com/NixOS/hydra/security/advisories/GHSA-qpq3-646c-vgx9
Restart Required: Yes
Instructions:
1. Update Hydra to commit f7bda02 or later. 2. Restart Hydra service. 3. Verify endpoints now require authentication.
🔧 Temporary Workarounds
Reverse Proxy Block
allBlock access to vulnerable API endpoints using a reverse proxy or web application firewall
# Example nginx location block
location /api/push-github { deny all; }
# Example nginx location block
location /api/push-gitea { deny all; }
🧯 If You Can't Patch
- Implement network-level access controls to restrict access to /api/push-github and /api/push-gitea endpoints
- Deploy rate limiting on API endpoints to mitigate DoS impact
🔍 How to Verify
Check if Vulnerable:
Check if Hydra version is prior to commit f7bda02 and test if /api/push-github and /api/push-gitea endpoints accept unauthenticated requestsCheck Version:
git log --oneline -1Verify Fix Applied:
Verify Hydra is at commit f7bda02 or later and test that /api/push-github and /api/push-gitea endpoints now require authentication📡 Detection & Monitoring
Log Indicators:
- High frequency of requests to /api/push-github or /api/push-gitea
- Unusual spike in evaluation job creation
- Failed authentication attempts on previously unauthenticated endpoints
Network Indicators:
- Unusual traffic patterns to Hydra API endpoints
- Requests to /api/push-github or /api/push-gitea without authentication headers
SIEM Query:
source="hydra.log" AND (uri_path="/api/push-github" OR uri_path="/api/push-gitea") AND NOT auth_method="basic"