CVE-2025-54800
BaseFortify
Publication date: 2025-08-12
Last updated on: 2025-09-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nixos | hydra | to 2025-08-12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54800 is a high-severity persistent Cross-Site Scripting (XSS) vulnerability in the Hydra continuous integration system for Nix projects. It occurs because Hydra improperly validates and escapes data written by build processes into certain output files, such as hydra-metrics and hydra-release-name. A malicious package can inject arbitrary JavaScript code into these files, which Hydra then stores in its database and embeds directly into web pages without proper escaping. When users visit the build page, this malicious script executes in their browsers, potentially compromising their security. The vulnerability arises from insufficient input validation and output escaping in Hydra's build output parsing and web interface rendering. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject and execute arbitrary JavaScript code in the browsers of users visiting the Hydra build pages, including administrators. This can lead to unauthorized actions such as session hijacking, data manipulation, or other malicious activities that compromise the integrity of the system and user trust. Although confidentiality impact is low, the integrity impact is high because attackers can alter the behavior of the web interface and potentially manipulate build data or user interactions. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Hydra build system is running a version prior to commit dea1e16 (specifically before commit dea1e168f590efb27db32dbacc82b09e15f8ae4b). You can inspect the build output files, especially `$out/nix-support/hydra-metrics` and `$out/nix-support/hydra-release-name`, for any suspicious or unexpected JavaScript code injections. Since the vulnerability involves unescaped JavaScript embedded in the web interface, monitoring HTTP traffic to the Hydra build pages for injected scripts or unusual payloads can also help detect exploitation attempts. Specific commands might include: 1) Checking the current commit of your Hydra installation via `git log -1` or `git show` in the Hydra source directory to verify if the patch is applied. 2) Inspecting the contents of the build output files for suspicious script tags, e.g., `grep -E '<script|javascript:' $out/nix-support/hydra-metrics` or similar. 3) Using web security tools or browser developer tools to analyze the build page for injected scripts when accessed. However, no explicit detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patch identified by commit dea1e168f590efb27db32dbacc82b09e15f8ae4b or any later commit that includes the fix. This patch introduces proper input validation, sanitization, and HTML escaping to prevent script injection. If patching is not immediately possible, workarounds include avoiding building untrusted packages and refraining from visiting the affected Hydra build pages to prevent execution of injected scripts in browsers. Additionally, reviewing and tightening input validation and output escaping in your Hydra deployment can help mitigate risks. [1, 2]