CVE-2026-44029
Directory Traversal in Nix Package Manager
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nix | nix | From 2.24.4 (inc) |
| lix | lix | From 2.93.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-36 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-44029 is an absolute path traversal vulnerability in the Nix package manager versions 2.24.7 and later. It occurs when using commands like "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" to unpack archives. The vulnerability allows writing files to arbitrary locations on the filesystem outside the intended extraction directory if the archive contains entries with absolute paths.
This means that an attacker who can supply a crafted archive to these commands could cause files to be written anywhere on the system, potentially overwriting important files.
The issue was fixed in versions 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to write files to arbitrary locations on your system when you use the vulnerable Nix commands to unpack archives. This could lead to unauthorized modification of files, potentially compromising system integrity.
While the vulnerability does not directly affect confidentiality or availability, it impacts integrity by allowing low-level unauthorized file writes.
Users are advised to avoid running the vulnerable commands on untrusted inputs to mitigate the risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves directory traversal when using the commands "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" which can write to arbitrary files outside the intended extraction root.
To detect if your system is vulnerable, you can check the installed Nix version to see if it is older than the fixed versions (2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, or 2.28.7).
There are no explicit detection commands provided in the resources, but you can verify the Nix version by running:
- nix --version
Additionally, monitoring usage of the vulnerable commands with unpack options on untrusted inputs may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Nix to one of the fixed versions: 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, or 2.28.7.
Until you can upgrade, avoid running the vulnerable commands "nix-prefetch-url --unpack" and "nix store prefetch-file --unpack" on untrusted or potentially malicious archives.
Restrict access to the Nix daemon to only trusted users, as exploitation requires local access and permissions to connect to the daemon.
Consider monitoring and limiting daemon connections and applying any additional security controls to reduce the risk of local privilege escalation.