Yes:
https://nvd.nist.gov/vuln/detail/CVE-2019-17365
And fixed here:
https://github.com/NixOS/nix/issues/509