CVE-2025-59378

MEDIUM5.7

In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended)

Published Sep 15, 2025

Modified 4 months ago

No fix available

Details

In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended).

References

WEBhttps://codeberg.org/guix/guix/commit/1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45 WEBhttps://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerability-2025-2/ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2025-59378

CVSS Analysis

CVSS v3.1

5.7

Exploitability

Attack Vector

LocalAV:L

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

ChangedS:C

Impact

Confidentiality

LowC:L

Integrity

LowI:L

Availability

NoneA:N

5.7/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Weakness Type (CWE)

Other

CWE-669

Ecosystems

Timeline

PublishedSep 15, 2025

ModifiedSep 15, 2025