CVE-2025-42921: 
NixOS vulnerability analysis and mitigation

A security vulnerability identified as CVE-2025-42921 was discovered in JetBrains Toolbox App versions prior to 2.6. The vulnerability relates to missing host key verification in the SSH plugin, which was disclosed on April 17, 2025. This security issue affects all versions of the JetBrains Toolbox App up to version 2.6 (NVD NIST, CVE MITRE).

The vulnerability has been classified as CWE-297 (Improper Validation of Certificate with Host Mismatch). According to the National Vulnerability Database, it received a CVSS v3.1 base score of 6.5 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. However, JetBrains s.r.o., the CNA (CVE Numbering Authority), assessed it with a lower CVSS score of 4.2 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N (NVD NIST).

The vulnerability's impact is characterized by low confidentiality and integrity breaches, with no impact on availability. The CVSS scoring indicates that while the vulnerability can be exploited over the network, it requires high attack complexity and user interaction according to the vendor's assessment (NVD NIST).

The vulnerability has been addressed in JetBrains Toolbox App version 2.6. Users are advised to upgrade to this version or later to mitigate the security risk (JetBrains Advisory).