Vulnerability in Nix 2.24

There’s a vulnerability in Nix 2.24.

If you’re using the regular nix from nixpkgs (which the vast majority of users will be), you’re still on a safe version. If you recently (after August 1st) installed nix using the nix (not NixOS) installers, or are using nixVersions.git from nixpkgs, then you need to double-check. A fix is expected in version 2.24.6 which is to be released soon.

GHSA-h4vv-h3jq-v493

To summarize:

• This vulnerability allows privilege escalation, so it’s serious
• It only affects Nix 2.24.0 to 2.24.5
• The known attack vectors are closed in Nix 2.24.6

Please excuse any delay; we will publish a post mortem once the acute situation is cleaned up.

In the meantime, if you installed or upgraded Nix recently (after 2024-08-01 and before 2024-09-10):

• If you installed Nix standalone using the official installer, as found on

  • Download | Nix & NixOS
  • Install Nix — nix.dev documentation
  • Installation - Nix Reference Manual
  • Installing a Binary Distribution - Nix Reference Manual

  then please upgrade to 2.24.6, by uninstalling Nix and re-installing again using the installer.

• If you installed Nix using the Determinate Systems installer, then please update to 2.24.6 by upgrading, or by uninstalling and re-running the Determinate Systems installer.

• If you set nixVersions.git or nixVersions.nix_2_24 in your NixOS, Home Manager, or nix-darwin configuration, update your Nixpkgs pin and rebuild the system. Otherwise you don’t need to do anything.

  Check when excluding 2.24.6 is available on the Nixpkgs channel branches:

  • nixpkgs-unstable: Nixpkgs PR #341007 ("nix 2.24 bump") progress
  • nixos-24.05: Nixpkgs PR #341049 ("[release-24.05] Nix 2.24.6 + nix git bump") progress

Lix is not affected because it was forked off Nix 2.18. The vulnerability was reported by Lix core team member @puckipedia.

Mentioned elsewhere, for reference:

• Nix 2.24+ is vulnerable to (remote) privilege escalation | Lobsters
• Determinate Status - Uncoordinated disclosure of a Nix 2.24 privilege escalation vulnerability

The GitHub advisory is now public: Unsafe NAR unpacking · Advisory · NixOS/nix · GitHub

And 2.24.6 is released: Release 2.24.6 · NixOS/nix · GitHub

Thanks for the quick fixes now that the exploit is public.

I saw the remedy was about case insensitivity. I suppose case sensitive filesystems are not affected?

How so? The original explanation mentioned it was due to improper hash verification and symlink handling

Case-sensitivity was only one of the vectors. There are a class of similar bugs that abuse a similar mechanism of defining a symlink with an arbitrary target and then later traversing that symlink as a way to get write access as root. Other mechanisms include messing with the ordering of NAR entries and unicode representations.

Here’s the post mortem as promised: