CVE-2025-54864
BaseFortify
Publication date: 2025-08-12
Last updated on: 2025-09-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nixos | hydra | to 2025-08-12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54864 is a vulnerability in Hydra, a continuous integration service for Nix projects, where two API endpoints (/api/push-github and /api/push-gitea) did not enforce authentication before a certain commit. These endpoints could be triggered by GitHub and Gitea webhooks without verifying the authenticity of the requests, allowing anyone to initiate resource-intensive evaluations. This missing authentication could be exploited to overload the system, potentially causing denial of service (DoS) by exhausting infrastructure resources. The issue was fixed by adding HMAC signature verification to ensure only authorized webhook requests can trigger evaluations. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to trigger expensive evaluation jobs on your Hydra infrastructure without authentication. This can lead to resource exhaustion, causing denial of service (DoS) conditions where legitimate users cannot perform builds or evaluations. The impact on confidentiality and integrity is none, but availability is affected due to potential overload of the system. If exploited, it could disrupt your continuous integration workflows and degrade system performance. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect attempts to exploit this vulnerability by monitoring access to the /api/push-github and /api/push-gitea endpoints for unauthenticated or suspicious POST requests. Checking Hydra server logs for webhook authentication failures or warnings is recommended. Use the following command to check logs related to webhook authentication: journalctl -u hydra-server | grep -i webhook Additionally, you can test webhook requests manually with curl commands that include HMAC signatures to verify proper authentication handling. Example commands for testing GitHub and Gitea webhook endpoints with HMAC signatures are provided in the documentation. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patch introduced in commit f7bda02 that enforces HMAC signature verification on /api/push-github and /api/push-gitea endpoints. If patching is not immediately possible, block these endpoints via a reverse proxy to prevent unauthenticated triggering of evaluations. Configure webhook secrets securely outside the Nix store, restrict permissions on the secrets file, and set up GitHub and Gitea webhooks with the corresponding secrets to ensure authenticated requests. Regularly verify webhook authentication via logs and test with signed curl requests. [1, 2]