CVE-2025-54864 Overview
CVE-2025-54864 affects Hydra, a continuous integration service for Nix-based projects. The /api/push-github and /api/push-gitea endpoints lack HTTP Basic authentication, allowing unauthenticated remote callers to trigger Hydra evaluations. While both forges support HMAC signing with a secret key, the affected endpoints did not validate signatures before processing requests. Triggering large evaluations is resource-intensive and can exhaust CPU and memory on the evaluator host, creating a denial of service condition. The flaw is tracked as Missing Authentication for Critical Function [CWE-306] and was patched in commit f7bda02.
Critical Impact
Unauthenticated network attackers can trigger expensive Hydra evaluations on demand, exhausting evaluator resources and degrading or halting continuous integration services.
Affected Products
- NixOS Hydra prior to commit f7bda02
- Hydra instances exposing /api/push-github to the public internet
- Hydra instances exposing /api/push-gitea to the public internet
Discovery Timeline
- 2025-08-12 - CVE-2025-54864 published to NVD
- 2025-09-22 - Last updated in NVD database
Technical Details for CVE-2025-54864
Vulnerability Analysis
Hydra exposes webhook endpoints that GitHub and Gitea call to notify the CI service of repository changes. The endpoints /api/push-github and /api/push-gitea are reached without HTTP Basic authentication. Both forges support HMAC-based request signing using a shared secret, but Hydra did not verify those signatures prior to commit f7bda02. Any network-positioned attacker who can reach the Hydra host can therefore invoke the push endpoints directly. Each invocation can schedule an evaluation, and evaluations on large Nix projects consume substantial CPU, memory, and disk I/O. Repeated or concurrent invocations amplify resource consumption and produce a denial of service on the evaluator.
Root Cause
The root cause is missing authentication on critical webhook endpoints [CWE-306]. Hydra trusted the inbound request without validating the HMAC signature header supplied by GitHub or Gitea. Because evaluation triggering is an expensive operation, the absence of an authentication check converts a routine webhook into a resource amplification primitive.
Attack Vector
The attack vector is the network. An attacker sends crafted HTTP POST requests to the Hydra host targeting /api/push-github or /api/push-gitea. No credentials, user interaction, or prior access are required. Repeated requests force the evaluator to perform expensive Nix evaluations, leading to CPU exhaustion and service degradation.
use Digest::SHA qw(sha256_hex);
use Text::Diff;
use IPC::Run qw(run);
+use Digest::SHA qw(hmac_sha256_hex);
+use String::Compare::ConstantTime qw(equals);
sub api : Chained('/') PathPart('api') CaptureArgs(0) {
Source: NixOS/hydra commit f7bda02. The patch introduces hmac_sha256_hex for signature computation and String::Compare::ConstantTime::equals for constant-time comparison, enforcing HMAC validation on the push endpoints.
Detection Methods for CVE-2025-54864
Indicators of Compromise
- High-volume or repeated POST requests to /api/push-github or /api/push-gitea from source IPs outside the configured GitHub or Gitea webhook ranges.
- Spikes in hydra-evaluator CPU, memory, or run-queue length not correlated with legitimate commit activity.
- Hydra evaluation queue backlog growing without corresponding repository push events.
Detection Strategies
- Inspect Hydra access logs and reverse proxy logs for unauthenticated calls to the two push endpoints that lack a valid X-Hub-Signature-256 or Gitea signature header.
- Correlate webhook delivery events from GitHub or Gitea audit logs against Hydra-side request counts to identify excess requests with no upstream origin.
- Alert when evaluator host resource utilization sustains above baseline while no scheduled or push-driven evaluations are expected.
Monitoring Recommendations
- Forward Hydra and reverse proxy logs to a centralized logging or SIEM pipeline and create rules for request rate anomalies on /api/push-* paths.
- Monitor evaluator process metrics (CPU, RSS, fork rate) and alert on sustained deviations from baseline.
- Track source IP distribution for push endpoint callers and flag any that are not GitHub or Gitea hook origins.
How to Mitigate CVE-2025-54864
Immediate Actions Required
- Update Hydra to a build that includes commit f7bda02 or later, which enforces HMAC signature validation on /api/push-github and /api/push-gitea.
- Configure the shared HMAC secret in both Hydra and the corresponding GitHub or Gitea webhook so signed requests verify successfully.
- Restrict network reachability of the Hydra web interface to known forge source ranges where operationally feasible.
Patch Information
The issue is fixed in NixOS Hydra commit f7bda020c6144913f134ec616783e57817f7686f. Full details are published in GitHub Security Advisory GHSA-qpq3-646c-vgx9. The fix introduces hmac_sha256_hex signature computation and constant-time comparison via String::Compare::ConstantTime::equals.
Workarounds
- Block /api/push-github and /api/push-gitea at a reverse proxy in front of Hydra if patching is not immediately possible.
- Allowlist only the published GitHub and Gitea webhook IP ranges at the proxy or firewall layer.
- Apply rate limiting on the push endpoints to cap evaluation triggers per source IP.
# nginx example: block public access to Hydra push endpoints
location ~ ^/api/push-(github|gitea)$ {
allow 140.82.112.0/20; # GitHub webhook range (verify current list)
allow 192.30.252.0/22; # GitHub webhook range (verify current list)
deny all;
proxy_pass http://hydra_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
