Summary
When programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAP_NET_RAW capability (binding to privileged ports, spoofing localhost traffic from privileged services…).
Am I affected?
You are impacted if programs.captive-browser.enable is set to true in your NixOS configuration.
What do I need to do?
As workarounds, you can:
- Disable the
programs.captive-browsermodule - Set
config.security.wrappers.udhcpc.enable = lib.mkForce falsein your configuration, this will not cause a loss of functionality when NetworkManager, dhcpcd or networkd are used.
Starting with pull-request nixos/captive-browser: remove the udhcpc setcap wrapper fallback by Stebalien · Pull Request #487775 · NixOS/nixpkgs · GitHub, the problematic wrapper has been removed on NixOS unstable.
On NixOS 25.11, after the pull-request [25.11] nixos/captive-browser: remove the udhcpc wrapper unless required by Stebalien · Pull Request #487779 · NixOS/nixpkgs · GitHub configurations using NetworkManager, dhcpcd or networkd are not vulnerable anymore. For other situations, users will get a warning explaining how they can avoid the issue.
Acknowledgement
We would like to thank @Stebalien for identifying the issue and providing fixes.