Platform
linux
Component
nix
Fixed in
2.24.1
CVE-2024-45593 is a critical vulnerability affecting Nix package manager versions 2.24.0 through 2.24. An attacker can exploit this flaw by crafting a malicious NAR (Nix Archive Record) file. Upon unpacking, Nix will write to arbitrary file system locations accessible to the Nix process, potentially with root privileges if the Nix daemon is in use. The vulnerability is resolved in Nix version 2.24.6.
The impact of CVE-2024-45593 is severe. A successful exploit allows an attacker to write arbitrary files to the system with root privileges. This could lead to complete system compromise, including the installation of malware, modification of critical system files, and persistent backdoor access. The ability to write to arbitrary locations significantly expands the attack surface, potentially affecting any file accessible by the Nix process. This vulnerability shares similarities with other file path traversal vulnerabilities, where crafted input leads to unintended file system modifications.
CVE-2024-45593 was publicly disclosed on September 10, 2024. The vulnerability's criticality (CVSS 9.1) and the potential for root privilege escalation suggest a high probability of exploitation. While no public proof-of-concept (PoC) has been widely released, the ease of crafting malicious NAR files makes it likely that exploits will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.45% (64% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-45593 is to immediately upgrade to Nix version 2.24.6 or later. If an immediate upgrade is not feasible, consider restricting access to the Nix daemon and carefully auditing all NAR files before unpacking. Implement strict file system permissions to limit the impact of potential writes. While a WAF is unlikely to be effective here, monitoring for unusual file creation events within the Nix environment can provide early detection. After upgrading, confirm the fix by attempting to unpack a known malicious NAR file (if available) in a controlled environment to verify that the vulnerability is no longer exploitable.
Update Nix to version 2.24.6 or higher. This will fix the vulnerability that allows writing to arbitrary file system locations. The update can be performed through the system package manager or by downloading the latest version from the official Nix website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-45593 is a critical vulnerability in Nix versions 2.24.0–2.24 that allows attackers to write arbitrary files with root privileges by crafting malicious NAR files.
If you are using Nix versions 2.24.0 through 2.24, you are potentially affected by this vulnerability. Upgrade to 2.24.6 or later to mitigate the risk.
The recommended fix is to upgrade to Nix version 2.24.6 or later. If an upgrade is not immediately possible, restrict access to the Nix daemon and carefully audit NAR files.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of future attacks.
Refer to the Nix security advisory for detailed information and updates: [https://security.nixos.org/advisories/CVE-2024-45593](https://security.nixos.org/advisories/CVE-2024-45593)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.