CVE-2025-5791: users may append `root` to group listings

June 5, 2025 (updated June 6, 2025)

Affected versions append root to group listings, unless the correct listing has exactly 1024 groups.

This affects both:

The supplementary groups of a user
The group access list of the current process

If the caller uses this information for access control, this may lead to privilege escalation.

This crate is not currently maintained, so a patched version is not available.

Versions older than 0.8.0 do not contain the affected functions, so downgrading to them is a workaround.

References

access.redhat.com/security/cve/CVE-2025-5791
bugzilla.redhat.com/show_bug.cgi?id=2370001
github.com/advisories/GHSA-m65q-v92h-cm7q
github.com/ogham/rust-users
github.com/ogham/rust-users/issues/44
nvd.nist.gov/vuln/detail/CVE-2025-5791
rustsec.org/advisories/RUSTSEC-2025-0040.html

Code Behaviors & Features

Detect and mitigate CVE-2025-5791 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →