Skip to content

users may append `root` to group listings

Moderate severity GitHub Reviewed Published Jun 5, 2025 to the GitHub Advisory Database • Updated Jun 5, 2025

Package

cargo users (Rust)

Affected versions

>= 0.8.0, <= 0.11.0

Patched versions

None

Description

Affected versions append root to group listings, unless the correct listing has exactly 1024 groups.

This affects both:

  • The supplementary groups of a user
  • The group access list of the current process

If the caller uses this information for access control, this may lead to privilege escalation.

This crate is not currently maintained, so a patched version is not available.

Versions older than 0.8.0 do not contain the affected functions, so downgrading to them is a workaround.

Recommended alternatives

  • uzers (an actively maintained fork of the users crate)
  • sysinfo

References

Published to the GitHub Advisory Database Jun 5, 2025
Reviewed Jun 5, 2025
Last updated Jun 5, 2025

Severity

Moderate

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-m65q-v92h-cm7q

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.