Impact
Attackers can execute arbitrary code in the browser context of Hydra and execute authenticated HTTP requests on behalf of the user.
The feature that is being abused is that Hydra can directly serve build results. This is for example used, when serving .iso files for images not published through the homepage. In this case the issue only affects build results, that are HTML files.
For https://hydra.nixos.org the relevant patch has been applied since around 2024-04-21 14:30 UTC.
Patches
- Packages in nixpkgs have fixing PRs in unstable and 23.11
- Apply the patch to your hydra package
Workarounds
- Make sure to only build trusted inputs
- Be careful when opening links to direct build results from Hydra
Impact
Attackers can execute arbitrary code in the browser context of Hydra and execute authenticated HTTP requests on behalf of the user.
The feature that is being abused is that Hydra can directly serve build results. This is for example used, when serving
.isofiles for images not published through the homepage. In this case the issue only affects build results, that are HTML files.For https://hydra.nixos.org the relevant patch has been applied since around 2024-04-21 14:30 UTC.
Patches
Workarounds