CVE-2025-1131: 
NixOS vulnerability analysis and mitigation

A local privilege escalation vulnerability (CVE-2025-1131) was discovered in the safeasterisk script included with the Asterisk toolkit package. The vulnerability affects multiple versions of Asterisk (<=18.26.2, <=20.15.0, <=21.10.0, <=22.5.0, <=18.9-cert15, <=20.7-cert6) and was disclosed on July 31, 2025. The issue exists when Asterisk is started via the safeasterisk script, which is common in SysV init or FreePBX environments (GitHub Advisory).

The vulnerability stems from the safe_asterisk script's behavior of sourcing all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions. The script runs with root privileges and executes every file with .sh extension in the specified directory without performing any chmod or ownership verification. The vulnerability has been assigned a CVSS v4.0 base score of 6.9 (Moderate) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N. The issue is classified as CWE-427 (Uncontrolled Search Path Element) (GitHub Advisory).

The vulnerability allows non-root users with legitimate write access to /etc/asterisk to escalate their privileges to root. An attacker could place malicious scripts in the startup.d directory that would execute with root privileges upon service restart. This could lead to complete system compromise through unauthorized root access (GitHub Advisory).

The vulnerability has been patched in versions 18.26.3, 20.15.1, 21.10.1, 22.5.1, 18.9-cert16, and 20.7-cert7. It's important to note that installations using the recommended systemd asterisk.service file to start Asterisk are not affected by this vulnerability. The issue only exists when using the safe_asterisk script to start the Asterisk daemon (GitHub Advisory).