CVE-2025-54864

Name of the Vulnerable Software and Affected Versions: Hydra versions prior to commit f7bda02

Description: Hydra is a continuous integration service for Nix based projects. The /api/push-github and /api/push-gitea API endpoints were called by their respective forges without HTTP Basic authentication, despite featuring HMAC signing with a secret key. Triggering evaluations, particularly large ones, could lead to denial of service attacks on the host running the evaluator.

Recommendations: Update to commit f7bda02 or later. As a workaround, block access to the /api/push-github and /api/push-gitea API endpoints via a reverse proxy.