What is CVE-2025-52993?

CVE-2025-52993 is a medium-severity vulnerability in Nixos Nix, classified under Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition). CVSS score: 5.6/10. Published 2025-06-27.

How severe is CVE-2025-52993?

Medium severity. CVSS v3 base score is 5.6 out of 10.

Vulnerability in Nixos Nix

CVE-2025-52993

A race condition in the Nix, Lix, and Guix package managers enables changing the ownership of arbitrary files to the UID and GID of the build user (e.g., nixbld* or guixbuild*). This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1…

Vulnerability class: Race Condition

EPSS: 0.001 (22.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.6 (Medium). Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L.

Affected products

Nixos Nix — versions 0, 2.25.0, 2.27.0

Weakness classification (CWE)

CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)

References

Frequently asked questions

What is CVE-2025-52993?: CVE-2025-52993 is a medium-severity vulnerability in Nixos Nix, classified under Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition). CVSS score: 5.6/10. Published 2025-06-27.
How severe is CVE-2025-52993?: Medium severity. CVSS v3 base score is 5.6 out of 10.