Skip to main content

CVE-2025-46415: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition in NixOS Nix

Low
VulnerabilityCVE-2025-46415cvecve-2025-46415cwe-367
Published: Fri Jun 27 2025 (06/27/2025, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: NixOS
Product: Nix

Description

A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.

AI-Powered Analysis

AILast updated: 06/27/2025, 13:44:28 UTC

Technical Analysis

CVE-2025-46415 is a security vulnerability classified as a Time-of-check Time-of-use (TOCTOU) race condition affecting the Nix package manager and related package managers Lix and Guix. Specifically, this race condition allows an attacker to remove content from arbitrary folders during package management operations. The flaw exists in versions of Nix prior to 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. The vulnerability arises because the software performs a check on a resource (such as a file or directory) and then uses that resource without properly ensuring it has not changed in the interim. This race condition can be exploited locally, requiring low privileges (local attack vector), high attack complexity, no privileges required, and no user interaction. The CVSS v3.1 score is 3.2, indicating low severity, primarily due to the limited impact on confidentiality and integrity, and the requirement for local access and high complexity to exploit. The vulnerability impacts availability by allowing deletion of arbitrary folder contents, which could disrupt package management or system stability. No known exploits are currently reported in the wild, and no official patches are linked in the provided data, though presumably fixed versions exist as indicated by the affected version ranges. The CWE-367 classification confirms the root cause as a TOCTOU race condition, a common concurrency flaw where the state of a resource changes between checking and usage, leading to unexpected behavior or security breaches.

Potential Impact

For European organizations, the impact of this vulnerability is primarily operational disruption. Since Nix, Lix, and Guix are package managers used in certain Linux distributions and environments, organizations relying on these tools for software deployment, system updates, or development environments could face risks of data loss or system instability if an attacker exploits this race condition to delete critical files or directories. The vulnerability does not directly compromise confidentiality or integrity of data but can affect availability and reliability of systems. This could be particularly impactful in environments where automated package management is critical, such as continuous integration/continuous deployment (CI/CD) pipelines, development workstations, or servers running NixOS or Guix System. The requirement for local access and high complexity reduces the likelihood of widespread exploitation, but insider threats or attackers with initial footholds could leverage this to escalate disruption. European organizations with stringent uptime and operational continuity requirements, such as financial institutions, healthcare providers, and critical infrastructure operators using these package managers, may experience service interruptions or increased maintenance overhead. However, the low CVSS score and lack of known exploits suggest the immediate risk is limited if proper operational controls and monitoring are in place.

Mitigation Recommendations

To mitigate this vulnerability effectively, European organizations should: 1) Upgrade affected package managers to the fixed versions beyond those listed as vulnerable (e.g., Nix 2.24.15 or later, Lix 2.91.2 or later, Guix 1.4.0-38.0e79d5b or later) as soon as patches become available. 2) Implement strict access controls to limit local user permissions, ensuring only trusted users can execute package management operations. 3) Employ file system monitoring and integrity checking tools to detect unauthorized deletions or modifications of critical directories used by these package managers. 4) Harden CI/CD and development environments by isolating build and deployment processes, minimizing the risk of exploitation by compromised local accounts. 5) Educate system administrators and developers about the risks of TOCTOU race conditions and encourage secure coding and operational practices to avoid similar issues. 6) Monitor vendor advisories and security bulletins for updates or patches related to this vulnerability. 7) Consider deploying runtime protection mechanisms or sandboxing to contain potential damage from race condition exploits. These measures go beyond generic advice by focusing on operational controls, environment hardening, and proactive monitoring tailored to the nature of this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-04-24T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 685e9caaf6cf9081996a6c6d

Added to database: 6/27/2025, 1:29:14 PM

Last enriched: 6/27/2025, 1:44:28 PM

Last updated: 8/17/2025, 8:44:00 PM

Views: 22

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats