CVE-2025-64517: sudo-rs doesn't record authenticating user properly in timestamp
When Defaults targetpw (or Defaults rootpw) is enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. sudo-rs prior to 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user’s UID in the authentication timestamp. Any later sudo invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it.
References
- github.com/advisories/GHSA-q428-6v73-fc4q
- github.com/trifectatechfoundation/sudo-rs
- github.com/trifectatechfoundation/sudo-rs/commit/8423fd986c3fa58b357f238c0db5e54baca5255d
- github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10
- github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-q428-6v73-fc4q
- nvd.nist.gov/vuln/detail/CVE-2025-64517
Code Behaviors & Features
Detect and mitigate CVE-2025-64517 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →