Incorrect Default Permissions Affecting guix package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Incorrect Default Permissions vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-DEBIANUNSTABLE-GUIX-10498758
- published25 Jun 2025
- disclosed27 Jun 2025
Introduced: 25 Jun 2025
NewCVE-2025-52991 (opens in a new tab)How to fix?
There is no fixed version for Debian:unstable guix.
NVD Description
Note: Versions mentioned in the description apply only to the upstream guix package and not the guix package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data manipulation. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
References
- https://security-tracker.debian.org/tracker/CVE-2025-52991
- https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017
- https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/
- https://labs.snyk.io
- https://lix.systems/blog/2025-06-24-lix-cves/
- https://security.snyk.io/vuln/?search=CVE-2025-52991