Setuid Privilege Escalation in guix-daemon (GNU Guix)
CVE-2025-59378 Published on September 15, 2025
In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended).
Weakness Type
Incorrect Resource Transfer Between Spheres
The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Products Associated with CVE-2025-59378
Want to know whenever a new CVE is published for GNU Guix? stack.watch will email you.
Affected Versions
GNU Guix:- Before 1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.