CVE-2025-5689: New authd users logging in via SSH are members of the root group

June 16, 2025 (updated June 17, 2025)

When an authd user logs in via SSH for the first time (meaning they do not yet exist in the authd user database) and successfully authenticates via the configured broker, the user is considered a member of the root group in the context of that SSH session. This situation may allow the user to read and write files that are accessible by the root group, to which they should not have access. The user does not get root privileges or any capabilities beyond the access granted to the root group.

References

github.com/advisories/GHSA-g8qw-mgjx-rwjr
github.com/ubuntu/authd
github.com/ubuntu/authd/commit/619ce8e55953b970f1765ddaad565081538151ab
github.com/ubuntu/authd/security/advisories/GHSA-g8qw-mgjx-rwjr
nvd.nist.gov/vuln/detail/CVE-2025-5689

Code Behaviors & Features

Detect and mitigate CVE-2025-5689 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →