When will nixos fix CVE-2025-62725?

PeterAndersson · February 11, 2026, 4:52pm

Hi CVE-2025-62725 has been public/fixed since October 2025.

I’m running nixos 25.11.5672.2db38e08fdad (Xantusia) and just ran sudo nixos-rebuild switch --upgrade and my docker compose is still 2.39.4 and the issue was fixed in v2.40.2.

I found the following docker-compose: 2.39.4 -> 5.0.0 by r-ryantm · Pull Request #448898 · NixOS/nixpkgs · GitHub where it seems nixos should now run docker compose 5.0 or later, but that is not the case for me?

Having a CVE with a score of 8.9 for multiple months after it was fixed seem like a bad idea?

Do I have to wait for the next major release to get a newer version of docker compose?

hexa · February 11, 2026, 5:21pm

I think the lack of any indication in the changelog made it non-trivial to discover the CVE. It was published three days after the 2.40.2 release. And what complicates the matter is that docker-compose has no maintainer listed in nixpkgs.

I now prepared the update over here.

github.com/NixOS/nixpkgs

[release-25.11] docker-compose: 2.39.4 -> 2.40.3

release-25.11 ← mweinelt:CVE-2025-62725

opened 05:19PM - 11 Feb 26 UTC

mweinelt

+3 -3

https://github.com/docker/compose/releases/tag/v2.40.0 https://github.com/docke…r/compose/releases/tag/v2.40.1 https://github.com/docker/compose/releases/tag/v2.40.2 https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q Fixes: CVE-2025-62725 ## Things done - Built on platform: - [x] x86_64-linux - [ ] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin - Tested, as applicable: - [ ] [NixOS tests] in [nixos/tests]. - [ ] [Package tests] at `passthru.tests`. - [ ] Tests in [lib/tests] or [pkgs/test] for functions and "core" functionality. - [ ] Ran `nixpkgs-review` on this PR. See [nixpkgs-review usage]. - [ ] Tested basic functionality of all binary files, usually in `./result/bin/`. - Nixpkgs Release Notes - [ ] Package update: when the change is major or breaking. - NixOS Release Notes - [ ] Module addition: when adding a new NixOS module. - [ ] Module update: when the change is significant. - [x] Fits [CONTRIBUTING.md], [pkgs/README.md], [maintainers/README.md] and other READMEs. [NixOS tests]: https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests [Package tests]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests [nixpkgs-review usage]: https://github.com/Mic92/nixpkgs-review#usage [CONTRIBUTING.md]: https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md [lib/tests]: https://github.com/NixOS/nixpkgs/blob/master/lib/tests [maintainers/README.md]: https://github.com/NixOS/nixpkgs/blob/master/maintainers/README.md [nixos/tests]: https://github.com/NixOS/nixpkgs/blob/master/nixos/tests [pkgs/README.md]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md [pkgs/test]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/test

PeterAndersson · February 11, 2026, 5:23pm

Thanks for the quick reply and action!

PeterAndersson · February 13, 2026, 12:53pm

Hi @hexa how long does it usually take for a update to be reflected in nix packages after the pr was merged?

Still says 2.39.4 and after updating my packages I’m also still at 2.39.4.

Thanks for your help!

raboof · February 13, 2026, 1:01pm

You can see the progress on this PR at Making sure you're not a bot! - it’s in 25.11-small (which advances sooner) but not yet in 25.11 (which requires more tests)

The channel progresses when our testsuite successfully completes. You can see the status of those testsuites at https://status.nixos.org/ - as you can see 25.11-small and 25.11 itself both succeeded yesterday, but on different commits. Looking at the details in Making sure you're not a bot! it looks like it’ll probably pick it up in 1 or 2 days.

PeterAndersson · February 16, 2026, 8:30pm

Thanks @hexa and @raboof now I’m running 2.40.3