CVE-2025-59378
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-09-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnu | guix | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59378 is a privilege escalation vulnerability in guix-daemon of GNU Guix before commit 1618ca7. It allows a local user to create a setuid program by exploiting how guix-daemon evaluates a user-supplied file named by the derivation's content-addressed-mirrors environment variable as arbitrary Guile code. This unsafe evaluation lets a regular user gain the privileges of the build user that runs the build, even after the build has ended. The vulnerability arises because the daemon does not properly isolate or restrict access to these files, enabling privilege escalation through crafted content-addressed-mirrors files. [1]
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to escalate their privileges to those of the build user running guix-daemon, potentially gaining unauthorized access and control over the system. It threatens multi-user systems or any system where untrusted code can access guix-daemon's socket, enabling attackers to manipulate build outputs or execute privileged operations. Even rootless guix-daemon instances are affected, meaning the attacker can gain guix-daemon privileges regardless of root access. This can compromise system security and integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by running the provided test script `content-addressed-mirrors-vuln-check.scm` using the command `guix repl content-addressed-mirrors-vuln-check.scm`. The script will exit with code 1 if the guix-daemon is vulnerable, or 0 if it is not. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading guix-daemon to a version including commit 1618ca7 or later. For Guix System, run `guix pull`, reconfigure the system, and restart guix-daemon or reboot. For Guix on other distributions, run `guix pull` with root privileges and restart the guix-daemon service (e.g., `systemctl restart guix-daemon.service`). If using distribution-packaged Guix, consult package maintainers for upgrade instructions. [1]