Hydra missing authentication when triggering evaluations through GitHub and Gitea...

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be very taxing on the infrastructure when large evaluations are done, introducing potential denial of service attacks on the host running the evaluator. This issue has been patched by commit f7bda02. A workaround involves blocking /api/push-github and /api/push-gitea via a reverse proxy.

Basic Information

ID CVE-2025-54864

Source GitHub_M

Published Aug 12, 2025 at 15:48

Modified Aug 12, 2025 at 16:06

Affected Product

Vendor NixOS

Product hydra

Version < f7bda020c6144913f134ec616783e57817f7686f

Affected Versions NixOS hydra < f7bda020c6144913f134ec616783e57817f7686f

CWE Classification

CWE-306

References

{
    "lastseen": "",
    "description": "Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be very taxing on the infrastructure when large evaluations are done, introducing potential denial of service attacks on the host running the evaluator. This issue has been patched by commit f7bda02. A workaround involves blocking /api/push-github and /api/push-gitea via a reverse proxy.",
    "published": "2025-08-12T15:48:54.115Z",
    "modified": "2025-08-12T16:06:33.566Z",
    "type": "cve",
    "title": "Hydra missing authentication when triggering evaluations through GitHub and Gitea plugins",
    "source": "GitHub_M",
    "references": "https://github.com/NixOS/hydra/security/advisories/GHSA-qpq3-646c-vgx9\nhttps://github.com/NixOS/hydra/commit/f7bda020c6144913f134ec616783e57817f7686f",
    "id": "CVE-2025-54864",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "NixOS hydra < f7bda020c6144913f134ec616783e57817f7686f",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "hydra",
    "version": "< f7bda020c6144913f134ec616783e57817f7686f",
    "vendor": "NixOS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Hydra missing authentication when triggering evaluations through GitHub and Gitea plugins_CVE-2025-54864