CVE-2025-52991 is a vulnerability classified under CWE-276 (Incorrect Default Permissions) affecting the NixOS ecosystem's package managers: Nix, Lix, and Guix. These package managers use temporary build directories during package compilation and installation processes. The vulnerability arises because these temporary directories are created in locations that are world-readable and world-writable by default. This permissive setting allows any standard user on the system to potentially manipulate or pre-populate these directories with crafted content. Consequently, the package manager can be deceived into using these directories with malicious or unintended pre-existing files, which may lead to unauthorized actions or data manipulation during package builds. The affected versions include Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. The vulnerability has a CVSS v3.1 base score of 3.2, indicating low severity, with an attack vector of local (AV:L), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C). The impact is limited to integrity (I:L) with no confidentiality or availability impact. No known exploits are currently reported in the wild. This vulnerability primarily affects systems where multiple users have access and where these package managers are used, potentially allowing local users to interfere with package build processes, possibly injecting malicious code or corrupting builds.

For European organizations, the impact of CVE-2025-52991 is primarily on the integrity of software packages built using the affected package managers. Organizations relying on Nix, Lix, or Guix for software deployment or development could face risks of unauthorized code injection or tampering during package builds if untrusted users have local access to build environments. This could lead to compromised software integrity, potentially introducing backdoors or malicious payloads into production environments. However, the low CVSS score and the requirement for local access with no privileges reduce the likelihood of widespread exploitation. Organizations with multi-user development environments, shared build servers, or CI/CD pipelines using these package managers are at higher risk. The vulnerability does not affect confidentiality or availability directly but undermines trust in the software supply chain, which is critical for compliance and security assurance in European industries, especially those under strict regulatory frameworks like GDPR and NIS Directive.

To mitigate CVE-2025-52991, European organizations should implement the following specific measures: 1) Upgrade all affected package managers (Nix, Lix, Guix) to the latest patched versions where the default permissions for temporary build directories are corrected to restrict access appropriately. 2) Enforce strict file system permissions on temporary build directories, ensuring they are accessible only to the user performing the build process. 3) Isolate build environments using containerization or sandboxing techniques to prevent unauthorized users from accessing or manipulating build directories. 4) Implement robust access controls and user segregation on build servers and developer workstations to minimize the risk of untrusted users interfering with build processes. 5) Monitor build logs and artifacts for anomalies that could indicate tampering or unauthorized modifications. 6) Incorporate integrity verification mechanisms such as reproducible builds and cryptographic signing of build outputs to detect unauthorized changes. 7) Educate developers and system administrators about the risks of improper permissions and the importance of secure build environments. These targeted actions go beyond generic advice by focusing on build environment hardening and process integrity specific to the affected package managers.