Incorrect Permission Assignment for Critical Resource Affecting guix package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DEBIAN13-GUIX-10498773
- published25 Jun 2025
- disclosed27 Jun 2025
Introduced: 25 Jun 2025
NewCVE-2025-52992 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
There is no fixed version for Debian:13 guix.
NVD Description
Note: Versions mentioned in the description apply only to the upstream guix package and not the guix package as distributed by Debian.
See How to fix? for Debian:13 relevant fixed versions and status.
The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the content of a store outside of the build sandbox. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
References
- https://security-tracker.debian.org/tracker/CVE-2025-52992
- https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017
- https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/
- https://labs.snyk.io
- https://lix.systems/blog/2025-06-24-lix-cves/
- https://security.snyk.io/vuln/?search=CVE-2025-52992