CVE-2025-54864

Hydra missing authentication when triggering evaluations through GitHub and Gitea plugins

Description

Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be very taxing on the infrastructure when large evaluations are done, introducing potential denial of service attacks on the host running the evaluator. This issue has been patched by commit f7bda02. A workaround involves blocking /api/push-github and /api/push-gitea via a reverse proxy.

Category

6.9
CVSS
Severity: Medium
CVSS 4.0 •
EPSS 0.08%
Affected: NixOS hydra
Published at:
Updated at:

References

Link Tags
https://github.com/NixOS/hydra/security/advisories/GHSA-qpq3-646c-vgx9
https://github.com/NixOS/hydra/commit/f7bda020c6144913f134ec616783e57817f7686f

Frequently Asked Questions

What is the severity of CVE-2025-54864?
CVE-2025-54864 has been scored as a medium severity vulnerability.
How to fix CVE-2025-54864?
To fix CVE-2025-54864, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-54864 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-54864 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-54864?
CVE-2025-54864 affects NixOS hydra.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.