CVE-2025-32435

low-risk

Published 2025-04-15

Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys, that are owned by the hydra-queue-runner and hydra-www users respectively.

Do I need to act?

0.17% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.6/10 Low

NETWORK / HIGH complexity

Affected Products (1)

Hydra

Affected Vendors

Nixos

References (4)

Patch https://github.com/NixOS/hydra/commit/8d750265135b7e203520036a742afdf301b4013f

Vendor Advisory https://github.com/NixOS/hydra/security/advisories/GHSA-j7w7-965w-vjxw

Issue Tracking https://github.com/NixOS/nixpkgs/pull/397919

Release Notes https://github.com/nix-community/nix-eval-jobs/releases/tag/v2.28.1

/ 100

low-risk

Severity 10/34 · Low

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal