CVE-2025-59378
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-15

Last updated on: 2025-09-15

Assigner: MITRE

Description
In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-15
Last Modified
2025-09-15
Generated
2026-06-16
AI Q&A
2025-09-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59378
EUVD
EUVD-2025-29155
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gnu guix 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59378 is a privilege escalation vulnerability in guix-daemon of GNU Guix before commit 1618ca7. It allows a local user to create a setuid program by exploiting how guix-daemon evaluates a user-supplied file named by the derivation's content-addressed-mirrors environment variable as arbitrary Guile code. This unsafe evaluation lets a regular user gain the privileges of the build user that runs the build, even after the build has ended. The vulnerability arises because the daemon does not properly isolate or restrict access to these files, enabling privilege escalation through crafted content-addressed-mirrors files. [1]

Impact Analysis

This vulnerability can allow a local attacker to escalate their privileges to those of the build user running guix-daemon, potentially gaining unauthorized access and control over the system. It threatens multi-user systems or any system where untrusted code can access guix-daemon's socket, enabling attackers to manipulate build outputs or execute privileged operations. Even rootless guix-daemon instances are affected, meaning the attacker can gain guix-daemon privileges regardless of root access. This can compromise system security and integrity. [1]

Detection Guidance

You can detect this vulnerability by running the provided test script `content-addressed-mirrors-vuln-check.scm` using the command `guix repl content-addressed-mirrors-vuln-check.scm`. The script will exit with code 1 if the guix-daemon is vulnerable, or 0 if it is not. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading guix-daemon to a version including commit 1618ca7 or later. For Guix System, run `guix pull`, reconfigure the system, and restart guix-daemon or reboot. For Guix on other distributions, run `guix pull` with root privileges and restart the guix-daemon service (e.g., `systemctl restart guix-daemon.service`). If using distribution-packaged Guix, consult package maintainers for upgrade instructions. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59378. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart