An error in Nix installers before version 2.34.7 allows a local user to write to arbitrary files by exploiting a directory‑traversal flaw in the "nix-prefetch-url --unpack" and "nix store prefetch-file --unpack" commands. The flaw stems from unsanitized input that lets the commands access paths outside the intended directory, thus enabling unwanted file creation or modification. The weakness is a classic directory traversal (CWE‑36), and the impact is the ability to alter or replace configuration or executable files, potentially compromising system integrity and creating a foothold for further privilege escalation. This vulnerability is limited to local users who can run the affected Nix commands, but it can be used to write privileged files if the attacker can control the directory structure or target files that require higher permission bits after write, effectively enabling local privilege escalation.

NixOS Nix package is affected. Versions prior to 2.34.7 are vulnerable, including 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (the latest stable branch that received the fix is 2.24.7). All prior releases therefore remain at risk.

The CVSS score of 5.3 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is local; a user with access to the prefetched commands can fabricate traversal paths and overwrite target files. While the lack of a known public exploit reduces immediate threat, the local nature of the flaw means that environment misconfiguration or privilege separation failures could quickly turn it into a critical foothold. Administrators should consider the moderate CVSS rating, but given the potential for local privilege escalation, the risk is non‑negligible in mixed‑user environments.