nfpm vulnerable to Incorrect Default Permissions
Description
nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
nFPM fails to preserve file permissions from source control, causing packages to ship with overly permissive (666/777) access.
## Vulnerability nFPM, a packaging tool alternative to fpm, does not maintain file permissions when building packages directly from source control. Without explicit configuration to enforce permissions, source files with overly broad permissions (such as 666 or 777) are passed into the final package unchanged [1][2].
Exploitation
An attacker who can contribute files to a source repository used by nFPM can set those files to world-writable permissions. When nFPM packages the repository using default settings, the resulting package installs those files with the same dangerous permissions on the target system. No special authentication or network position is required; the attack surface is limited to scenarios where untrusted files are added to a repository that is then packaged without permission overrides [2].
Impact
Systems that install packages created by nFPM may end up with executable scripts or configuration files that are writable by any user (chmod 666 or 777). This can lead to privilege escalation, unauthorized modification of system files, or other security breaches, depending on the location and content of the affected files [1][2].
Mitigation
The vulnerability is fixed in nFPM version 2.29.0 [3]. Users should upgrade to this version or later. Alternatively, packagers can explicitly specify file permissions in the nFPM configuration to override source permissions. There is no workaround if the source files already have dangerous permissions and the configuration does not enforce correct permissions [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/goreleaser/nfpm/v2Go | >= 2.0.0, < 2.29.0 | 2.29.0 |
github.com/goreleaser/nfpmGo | >= 0.1.0, <= 1.10.3 | — |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/goreleaser-1.18pkg:apk/wolfi/goreleaser-1.18pkg:golang/github.com/goreleaser/nfpmpkg:golang/github.com/goreleaser/nfpm/v2
< 1.18.2-r12+ 3 more
- (no CPE)range: < 1.18.2-r12
- (no CPE)range: < 1.18.2-r12
- (no CPE)range: >= 0.1.0, <= 1.10.3
- (no CPE)range: >= 2.0.0, < 2.29.0
- goreleaser/nfpmv5Range: >= 2.0.0, < 2.29.0
Patches
1ed9abdf63d50sec: fix for CVE-2023-32698
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-w7jw-q4fg-qc4cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32698ghsaADVISORY
- github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30ghsax_refsource_MISCWEB
- github.com/goreleaser/nfpm/releases/tag/v2.29.0ghsax_refsource_MISCWEB
- github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.