CVE-2024-45593

Name of the Vulnerable Software and Affected Versions: Nix versions 2.24 through 2.24.5 Nix version 2.24 prior to 2.24.6

Description: A bug in Nix allows a substituter or malicious user to craft a NAR that, when unpacked by Nix, causes Nix to write to arbitrary file system locations to which the Nix process has access. This will be with root permissions when using the Nix daemon. The issue is related to improper restriction of the directory path name with limited access. Exploitation of the issue may allow a remote attacker to overwrite arbitrary files in the system.

Recommendations: For Nix versions 2.24 through 2.24.5, update to Nix 2.24.6 to patch the bug. For Nix version 2.24 prior to 2.24.6, update to Nix 2.24.6 to fix the issue. As a temporary workaround, consider restricting access to the Nix daemon to minimize the risk of exploitation.