CVE-2025-59378
📋 TL;DR
This vulnerability in GNU Guix's guix-daemon allows local users to escalate privileges by writing a malicious content-addressed-mirrors file that creates a setuid program. This enables a regular user to gain the privileges of the build user, potentially leading to root access. Systems running vulnerable versions of GNU Guix with the daemon enabled are affected.
💻 Affected Systems
- GNU Guix
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to root, allowing complete system compromise and persistence establishment.
Likely Case
Local privilege escalation to build user privileges, enabling unauthorized access to system resources and potential lateral movement.
If Mitigated
Limited impact if build users have minimal privileges and proper access controls are in place.
🎯 Exploit Status
Requires local access and knowledge of the system. Exploitation involves writing to specific files and understanding Guix's build system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version including commit 1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45
Vendor Advisory: https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerability-2025-2/
Restart Required: No
Instructions:
1. Update GNU Guix to version containing commit 1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45
2. Run: guix pull
3. Restart guix-daemon service if it doesn't automatically restart
🔧 Temporary Workarounds
Restrict guix-daemon access
LinuxLimit which users can interact with guix-daemon to reduce attack surface
chmod 750 /var/guix/daemon-socket
setfacl -m u:username:rx /var/guix/daemon-socket
🧯 If You Can't Patch
- Restrict local user access to systems running vulnerable guix-daemon
- Implement strict file permissions on content-addressed-mirrors directories
🔍 How to Verify
Check if Vulnerable:
Check if guix-daemon is running and check Guix version: guix --version | grep -q 'commit.*1618ca7' && echo 'Patched' || echo 'Vulnerable'Check Version:
guix --versionVerify Fix Applied:
Verify commit is present: guix --version | grep 1618ca7📡 Detection & Monitoring
Log Indicators:
- Unauthorized writes to content-addressed-mirrors files
- Unexpected setuid program creation in Guix store
Network Indicators:
- Local socket connections to guix-daemon from unexpected users
SIEM Query:
process.name:guix-daemon AND file.path:*content-addressed-mirrors* AND file.action:write