Description

Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be very taxing on the infrastructure when large evaluations are done, introducing potential denial of service attacks on the host running the evaluator. This issue has been patched by commit f7bda02. A workaround involves blocking /api/push-github and /api/push-gitea via a reverse proxy.

INFO

Published Date :

2025-08-12T15:48:54.115Z

Last Modified :

2025-08-12T16:06:33.566Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-54864 vulnerability.

Vendors Products
Nixos
  • Hydra
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-54864.

URL Resource
https://github.com/NixOS/hydra/commit/f7bda020c6144913f134ec616783e57817f7686f cve-icon cve-icon
https://github.com/NixOS/hydra/security/advisories/GHSA-qpq3-646c-vgx9 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact