CVE-2025-59378: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-59378 is a privilege escalation vulnerability discovered in guix-daemon in GNU Guix versions before commit 1618ca7. The vulnerability was disclosed on September 1, 2025, affecting all GNU Guix systems, regardless of whether guix-daemon is running with root privileges (GNU Guix Blog).

The vulnerability exists in the content-addressed-mirrors file handling within guix-daemon's built-in builders (builtin:download and builtin:git-download). The issue allows arbitrary Guile code execution through the content-addressed-mirrors environment variable, which can be exploited to create a setuid program. This program can then be used to gain the privileges of the build user that runs it, even after the build has ended. The vulnerability has been assigned a CVSS v3.1 base score of 5.7 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows local users to gain elevated privileges of any build users and subsequently manipulate the output of any build. In systems running rootless daemon configurations, this can lead to gaining the privileges of guix-daemon itself. The impact is particularly significant for multi-user systems and any system where untrusted code may access guix-daemon's socket at /var/guix/daemon-socket/socket (GNU Guix Blog).

The vulnerability has been fixed through three commits (2a33354, f607aaa, and 9202921) in pull request #2419, with the fix implemented in commit 1618ca7. The solution involves changing the (guix scripts perform-download) to evaluate the content-addressed-mirrors file in a Guile isolated environment and implementing additional security checks. Users are strongly advised to upgrade their guix-daemon immediately through system reconfiguration after a guix pull (GNU Guix Blog).