CVE-2024-25626: 
NixOS vulnerability analysis and mitigation

In Yocto Projects Bitbake before 2.6.2 (before and included Yocto Project 4.3.1), a critical vulnerability was discovered in the Toaster server component. The vulnerability was disclosed on February 19, 2024, affecting the Yocto Project, which is an open source collaboration project that helps developers create custom Linux-based systems. The issue impacts multiple versions of the software including versions up to 3.1.31, 3.2 to 4.0.16, and 4.1 to 4.3.2 (NVD).

The vulnerability stems from missing input validation in the Toaster server component, which allows attackers to perform remote code execution in the server's shell via crafted HTTP requests. The issue has been assigned CVE-2024-25626 and received a CVSS v3.1 base score of 9.8 (Critical) from NIST and 8.8 (High) from GitHub. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command Injection). Notably, authentication is not required to exploit this vulnerability (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary code on the affected systems with the server's privileges. The CVSS metrics indicate high impact across all three security properties - confidentiality, integrity, and availability. This means successful exploitation could lead to complete system compromise (NVD).

The vulnerability has been fixed in multiple versions of the software. The fix has been backported to the bitbake included with Yocto Project 5.0, 3.1.31, 4.0.16, and 4.3.2. Users are advised to upgrade to these patched versions to mitigate the vulnerability (GitHub Advisory).