Security Advisory: Kanidm Provisioned Admin Credentials Leaked into System Log (CVE-2025-30205)

Am I Affected?

You are affected if you use the nixpkgs package kanidmWithSecretProvisioning and have provisioned the admin or idm_admin credentials via secret provisioning. This is the case if you have enabled the NixOS module option services.kanidm.provision.enable and used either services.kanidm.provision.adminPasswordFile or services.kanidm.provision.idmAdminPasswordFile.

Impact

The provisioned admin credentials are leaked into the system logs.

Patches

The issue has been fixed in oddlama/kanidm-provision v1.2.0.

The corresponding patchsets in nixpkgs have been updated in:

References

11 Likes