Summary
When using the default configuration of Tandoor Recipes NixOs module, specifically using SQLite and default MEDIA_ROOT, the full database file may be externally accessible, potentially on the Internet.
Am I affected?
Every NixOS configurations using services.tandoor-recipes with the default settings and the SQLite backend are impacted.
What do I need to do?
Ensure your SQLite database is not publicly accessible, follow the remediation steps in the GitHub Security Advisory.
Starting with the following pull requests, evaluations of vulnerable configurations will trigger a warning:
- Unstable: nixos/tandoor-recipes: fix database leak when serving media by Scrumplex · Pull Request #427845 · NixOS/nixpkgs · GitHub
- 25.11: [25.11] nixos/tandoor-recipes: fix database leak when serving media by Scrumplex · Pull Request #481140 · NixOS/nixpkgs · GitHub
Acknowledgement
Thank you to @Scrumplex for developing the fixes and writing the advisory.