CVE-2025-52991 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-52991 Interim 1 3 2025-07-12T06:33:55Z current 2025-06-25T23:14:18Z 2025-07-12T06:33:55Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-52991 The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data manipulation. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Tumbleweed nix-2.29.1-1.1 nix-bash-completion-2.29.1-1.1 nix-devel-2.29.1-1.1 nix-doc-2.29.1-1.1 nix-fish-completion-2.29.1-1.1 nix-zsh-completion-2.29.1-1.1 nix-2.29.1-1.1 as a component of openSUSE Tumbleweed nix-bash-completion-2.29.1-1.1 as a component of openSUSE Tumbleweed nix-devel-2.29.1-1.1 as a component of openSUSE Tumbleweed nix-doc-2.29.1-1.1 as a component of openSUSE Tumbleweed nix-fish-completion-2.29.1-1.1 as a component of openSUSE Tumbleweed nix-zsh-completion-2.29.1-1.1 as a component of openSUSE Tumbleweed The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data manipulation. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. CVE-2025-52991 openSUSE Tumbleweed:nix-2.29.1-1.1 openSUSE Tumbleweed:nix-bash-completion-2.29.1-1.1 openSUSE Tumbleweed:nix-devel-2.29.1-1.1 openSUSE Tumbleweed:nix-doc-2.29.1-1.1 openSUSE Tumbleweed:nix-fish-completion-2.29.1-1.1 openSUSE Tumbleweed:nix-zsh-completion-2.29.1-1.1 moderate