GHSA-m65q-v92h-cm7q: users may append `root` to group listings

June 5, 2025

Affected versions append root to group listings, unless the correct listing has exactly 1024 groups.

This affects both:

The supplementary groups of a user
The group access list of the current process

If the caller uses this information for access control, this may lead to privilege escalation.

This crate is not currently maintained, so a patched version is not available.

Versions older than 0.8.0 do not contain the affected functions, so downgrading to them is a workaround.

References

github.com/advisories/GHSA-m65q-v92h-cm7q
github.com/ogham/rust-users
github.com/ogham/rust-users/issues/44
rustsec.org/advisories/RUSTSEC-2025-0040.html

Code Behaviors & Features

Detect and mitigate GHSA-m65q-v92h-cm7q with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →