CVE-2025-52991
BaseFortify
Publication date: 2025-06-27
Last updated on: 2025-06-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Nix, Lix, and Guix package managers using temporary build directories in locations that are world-readable and world-writable. This setup allows standard users to trick the package manager into using directories that already contain files, potentially causing unauthorized actions or manipulation of data during the build process. [1]
How can this vulnerability impact me? :
The vulnerability can lead to privilege escalation where an unprivileged user can deceive the package manager into using manipulated directories, potentially causing unauthorized actions or data manipulation. This could compromise the integrity of the package build process and lead to security risks on the affected system. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the affected package managers (Nix, Lix, Guix) to versions that have patched the vulnerability once they become available. Currently, no fixed versions are available in some branches such as the unstable Debian branch. Monitoring the official Guix codebase and Debian security tracker for patches and applying them promptly is recommended. Until patches are applied, restrict access to temporary build directories to prevent unauthorized users from exploiting the world-readable and world-writable default locations. [1]