CVE-2022-25010: 
NixOS vulnerability analysis and mitigation

The component /rootfs in RageFile of Stepmania v5.1b2 and below contains a critical security vulnerability that allows attackers to access the entire file system. This vulnerability was discovered and disclosed in March 2022, affecting all versions of Stepmania up to and including version 5.1b2 (NVD, CVE).

The vulnerability has been assigned a CVSS v3 Base Score of 9.1 (Critical), with an Impact Score of 5.2 and Exploitability Score of 3.9. The attack vector is Network-based (AV:N), requires Low complexity (AC:L), needs No privileges (PR:N), and requires No user interaction (UI:N). The scope is Unchanged (S:U), with High impact on both Confidentiality (C:H) and Integrity (I:H), but No impact on Availability (A:N) (AttackerKB).

The vulnerability allows attackers to access the entire filesystem, enabling them to read and modify user data. On Linux systems, the /rootfs mount point in RageFile provides unrestricted access to the whole filesystem, allowing malicious themes and mod files to potentially rewrite user data and extract files via USB profiles (Github PR).

The vulnerability has been patched by removing access to the root filesystem from Lua. The fix involves replacing the /rootfs direct filesystem access with direct fstream file access for the required internal components. Users should upgrade to versions newer than v5.1b2 to protect against this vulnerability (Github PR).