Delroth

**Name of the Vulnerable Software and Affected Versions** Hydra (affected versions not specified) **Description** Hydra is a Continuous Integration service for Nix-based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems. **Recommendations** To fix the issue, apply the patch from https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5 to any Hydra package and upgrade. As a temporary workaround for users unable to upgrade, deny the "/api/push" route in a reverse proxy, noting that this will also break the "Evaluate jobset" button in the frontend.

**Name of the Vulnerable Software and Affected Versions** Hydra versions prior to the fix commit applied around 2024-04-21 14:30 UTC **Description** Hydra, a Continuous Integration service for Nix-based projects, has an issue that allows attackers to execute arbitrary code in the browser context and execute authenticated HTTP requests. The problem arises from a feature that lets Nix builds specify files served by Hydra to clients, particularly affecting HTML files. This issue can be worked around by not opening HTML build artifacts until the vulnerability is fixed. **Recommendations** For versions prior to the fix commit, apply the fix commit to local installations to resolve the issue. For users of the nixpkgs package, update to unstable or 23.11 to obtain the fixed version. As a temporary workaround, consider not opening HTML build artifacts until the issue is resolved.