CVE-2024-51481

Name of the Vulnerable Software and Affected Versions Nix versions prior to 2.18.9 Nix versions prior to 2.19.7 Nix versions prior to 2.20.9 Nix versions prior to 2.21.5 Nix versions prior to 2.22.4 Nix versions prior to 2.23.4 Nix versions prior to 2.24.10

Description The issue concerns the Nix package manager for Linux and Unix systems, specifically on macOS. Built-in builders, such as builtin:fetchurl (exposed to users with import <nix/fetchurl.nix>), were not executed within the macOS sandbox. This resulted in these builders having read access to world-readable paths and write access to world-writable paths outside of the sandbox. The Nix sandbox is primarily intended to improve reproducibility and purity of Nix builds, but it can also mitigate the impact of other security issues by limiting access to the host system.

Recommendations For versions prior to 2.18.9, update to version 2.18.9 or later. For versions prior to 2.19.7, update to version 2.19.7 or later. For versions prior to 2.20.9, update to version 2.20.9 or later. For versions prior to 2.21.5, update to version 2.21.5 or later. For versions prior to 2.22.4, update to version 2.22.4 or later. For versions prior to 2.23.4, update to version 2.23.4 or later. For versions prior to 2.24.10, update to version 2.24.10 or later.