Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-52993
CVE-2025-52993:
Linux Debian vulnerability analysis and mitigation
Overview
A race condition vulnerability (CVE-2025-52993) was discovered in the Nix, Lix, and Guix package managers that enables changing the ownership of arbitrary files to the UID and GID of the build user (e.g., nixbld or guixbuild). This vulnerability affects multiple versions including Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. The vulnerability was discovered by researchers from the Snyk Security Labs team and was publicly disclosed on June 24, 2025 (Nix Forum, Guix Blog).
Technical details
The vulnerability stems from a race condition in the package managers' handling of build processes, specifically involving the manipulation of temporary directories and file ownership during the build process. The issue has been assigned a CVSS v3.1 Base Score of 5.6 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) (NVD).
Impact
When exploited, this vulnerability allows an attacker to change the ownership of arbitrary files to the build user's UID and GID. This could potentially lead to privilege escalation and unauthorized file access within the system. The impact is particularly significant in multi-user systems where untrusted code may have access to the package manager's daemon socket (Lix Blog).
Mitigation and workarounds
The vulnerability has been patched in updated versions of the affected package managers. Users should upgrade to Nix 2.24.15, 2.26.4, 2.28.4, or 2.29.1; Lix 2.91.2, 2.92.2, or 2.93.1; or Guix 1.4.0-38.0e79d5b or later. For Lix specifically, additional mitigations include using Pasta for network namespace isolation and implementing improved file descriptor handling. Systems using older versions should consider implementing additional security controls and limiting access to the package manager's daemon socket (Lix Blog, Guix Blog).
Community reactions
The vulnerability disclosure was coordinated between the Nix, Lix, and Guix projects, with all teams working collaboratively to address the issue. The Snyk Security Labs team was credited with discovering the vulnerability, and the response from the open-source community has been swift and coordinated (Nix Forum).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management