To summarize:
- This vulnerability allows privilege escalation, so it’s serious
- It only affects Nix 2.24.0 to 2.24.5
- The known attack vectors are closed in Nix 2.24.6
Please excuse any delay; we will publish a post mortem once the acute situation is cleaned up.
In the meantime, if you installed or upgraded Nix recently (after 2024-08-01 and before 2024-09-10):
-
If you installed Nix standalone using the official installer, as found on
- Download | Nix & NixOS
- Install Nix — nix.dev documentation
- Installation - Nix Reference Manual
- Installing a Binary Distribution - Nix Reference Manual
then please upgrade to 2.24.6, by uninstalling Nix and re-installing again using the installer.
-
If you installed Nix using the Determinate Systems installer, then please update to 2.24.6 by upgrading, or by uninstalling and re-running the Determinate Systems installer.
-
If you set
nixVersions.gitornixVersions.nix_2_24in your NixOS, Home Manager, ornix-darwinconfiguration, update your Nixpkgs pin and rebuild the system. Otherwise you don’t need to do anything.Check when excluding 2.24.6 is available on the Nixpkgs channel branches:
-
nixpkgs-unstable: Nixpkgs PR #341007 ("nix 2.24 bump") progress -
nixos-24.05: Nixpkgs PR #341049 ("[release-24.05] Nix 2.24.6 + nix git bump") progress
-
Lix is not affected because it was forked off Nix 2.18. The vulnerability was reported by Lix core team member @puckipedia.
Mentioned elsewhere, for reference: