CVE-2021-32773: 
NixOS vulnerability analysis and mitigation

CVE-2021-32773 is a security vulnerability discovered in Racket, a general-purpose programming language, affecting versions prior to 8.2. The vulnerability was disclosed on July 19, 2021. It involves a confused deputy attack in the sandbox module resolution system that could allow attackers to manipulate system module dependencies (Racket Advisory).

The vulnerability allows code evaluated using the Racket sandbox to cause system modules to incorrectly use attacker-created modules instead of their intended dependencies. This could enable attackers to control system functions and gain access to facilities that were meant to be restricted. The issue specifically relates to the sandbox module resolution system's handling of dependencies (Racket Advisory).

The vulnerability could allow attackers to bypass security restrictions in the Racket sandbox environment and gain unauthorized access to restricted facilities. This is particularly concerning for multi-user evaluation systems, such as the handin-server system, where the impact could affect multiple users (Racket Advisory).

The vulnerability was patched in Racket version 8.2. For systems unable to upgrade immediately, external sandboxing such as containers can limit the impact. The Handin server now provides an API to restrict requires for teaching languages, which can prevent exploitation of this bug. Users are strongly encouraged to use this API. For multi-user evaluation systems, upgrading to version 8.2 or later is required as there are no effective workarounds (Racket Advisory).