Get Nix CVEs
Retrieve active Nix CVE issues with linked pull requests and fix status. This endpoint combines data from GitHub issues with PR detection for a comprehensive view of CVE remediation status.
Data Source
This endpoint returns CVEs only from the Nixpkgs Security Tracker issues on GitHub. For combined stats across all ecosystems, use the /api/v1/stats endpoint.
Endpoint
GET /api/v1/nix-cvesResponse
json
{
"success": true,
"data": {
"cves": [
{
"cveId": "CVE-2025-12345",
"packageName": "curl",
"severity": "high",
"issueNumber": 12345,
"issueUrl": "https://github.com/NixOS/nixpkgs/issues/12345",
"title": "curl: CVE-2025-12345 - Buffer overflow vulnerability",
"createdAt": "2025-01-15T10:00:00Z",
"fixedVersion": "8.5.0",
"linkedPRs": [
{
"number": 54321,
"title": "[24.05] curl: 8.4.0 -> 8.5.0",
"url": "https://github.com/NixOS/nixpkgs/pull/54321",
"state": "open"
}
],
"assignees": ["contributor1"]
}
],
"total": 24,
"withFix": 5,
"withPR": 8
},
"timestamp": "2026-01-30T12:00:00.000Z"
}Response Fields
| Field | Type | Description |
|---|---|---|
cves | array | List of CVE objects |
cves[].cveId | string | CVE identifier (e.g., CVE-2025-12345) |
cves[].packageName | string | Affected package name |
cves[].severity | string | Severity level (critical, high, medium, low, unknown) |
cves[].issueNumber | number | GitHub issue number |
cves[].issueUrl | string | Link to the GitHub issue |
cves[].title | string | Issue title |
cves[].createdAt | string | ISO 8601 timestamp when issue was created |
cves[].fixedVersion | string|null | Version that fixes the CVE, if known |
cves[].linkedPRs | array | Pull requests linked to this CVE |
cves[].linkedPRs[].number | number | PR number |
cves[].linkedPRs[].title | string | PR title |
cves[].linkedPRs[].url | string | Link to the PR |
cves[].linkedPRs[].state | string | PR state (open, closed, merged) |
cves[].assignees | array | GitHub usernames assigned to the issue |
total | number | Total CVE count |
withFix | number | CVEs where a fixed version is known |
withPR | number | CVEs with at least one linked PR |
Example
bash
curl https://api.vulnpatch.dev/api/v1/nix-cvesCode Examples
javascript
async function getNixCVEs() {
const response = await fetch('https://api.vulnpatch.dev/api/v1/nix-cves');
const { data } = await response.json();
// Find CVEs with open PRs
const withOpenPRs = data.cves.filter(cve =>
cve.linkedPRs.some(pr => pr.state === 'open')
);
console.log(`CVEs with open PRs: ${withOpenPRs.length}`);
for (const cve of withOpenPRs) {
console.log(`${cve.cveId}: ${cve.linkedPRs.length} PRs`);
}
}python
import requests
response = requests.get('https://api.vulnpatch.dev/api/v1/nix-cves')
data = response.json()['data']
# Find unassigned CVEs with known fixes
unassigned_fixable = [
cve for cve in data['cves']
if cve['fixedVersion'] and not cve['assignees']
]
print(f"Unassigned CVEs with known fix: {len(unassigned_fixable)}")
for cve in unassigned_fixable[:5]:
print(f" {cve['cveId']} -> {cve['fixedVersion']}")Use Cases
- PR Tracking: Monitor which CVEs have active PRs in progress
- Contribution: Find CVEs that need PR creation (has fix but no PR)
- Status Dashboard: Track CVE remediation progress in Nixpkgs
- Automation: Build workflows that check CVE/PR status
Related Endpoints
/api/v1/nix-stats- Aggregate Nixpkgs statistics/api/v1/issues- Full list of Nixpkgs tracker issues
Caching
This endpoint is cached for 30 minutes. The X-Cache header indicates cache status.