CVE-2024-32657

Name of the Vulnerable Software and Affected Versions Hydra versions prior to the fix commit applied around 2024-04-21 14:30 UTC

Description Hydra, a Continuous Integration service for Nix-based projects, has an issue that allows attackers to execute arbitrary code in the browser context and execute authenticated HTTP requests. The problem arises from a feature that lets Nix builds specify files served by Hydra to clients, particularly affecting HTML files. This issue can be worked around by not opening HTML build artifacts until the vulnerability is fixed.

Recommendations For versions prior to the fix commit, apply the fix commit to local installations to resolve the issue. For users of the nixpkgs package, update to unstable or 23.11 to obtain the fixed version. As a temporary workaround, consider not opening HTML build artifacts until the issue is resolved.