CVE-2024-25622: 
NixOS vulnerability analysis and mitigation

CVE-2024-25622 affects h2o, an HTTP server with support for HTTP/1.x, HTTP/2, and HTTP/3. The vulnerability was discovered on October 11, 2024, and involves a configuration issue where header directives in inner scopes unexpectedly override all header definitions from outer scopes, potentially leading to security headers being omitted (GitHub Advisory). The vulnerability affects all versions up to February 11, 2024.

The vulnerability stems from a configuration handling flaw where when a header directive is used in an inner scope (e.g., path level), all header definitions in outer scopes (e.g., global level) are ignored instead of being inherited as expected. This behavior has been assigned a CVSS v3.1 base score of 3.1 (LOW) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating network accessibility but high attack complexity (NVD).

The vulnerability can result in headers not being modified as expected, which could lead to unexpected client behavior. For example, if security headers like X-XSS-Protection are set globally but another header is set at a path level, the security header would be unexpectedly omitted, potentially leaving the application vulnerable to attacks that the security header was meant to prevent (GitHub Advisory).

The vulnerability has been fixed in commit 123f5e2b65dcdba8f7ef659a00d24bd1249141be. As a workaround for users unable to update immediately, when using headers directives at the inner scope, all settings defined at the outer scope should be repeated at the inner scope level (GitHub Advisory).