CVE-2025-64517
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-12

Last updated on: 2026-02-09

Assigner: GitHub, Inc.

Description
sudo-rs is a memory safe implementation of sudo and su written in Rust. With `Defaults targetpw` (or `Defaults rootpw`) enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. sudo-rs starting in version 0.2.5 and prior to version 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user's UID in the authentication timestamp. Any later `sudo` invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it. A highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don't know the password for those accounts. A common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of `sudo`), effectively negating the intended behaviour of the `targetpw` or `rootpw` options. Version 0.2.10 contains a patch for the issue. Versions prior to 0.2.5 are not affected, since they do not offer `Defaults targetpw` or `Defaults rootpw`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-12
Last Modified
2026-02-09
Generated
2026-05-07
AI Q&A
2025-11-13
EPSS Evaluated
2026-05-05
NVD
CVE-2025-64517
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sudo-rs sudo-rs 0.2.5
sudo-rs sudo-rs 0.2.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in sudo-rs (versions 0.2.5 to before 0.2.10) involves incorrect recording of the invoking user's UID instead of the authenticated user's UID in the authentication timestamp when using 'Defaults targetpw' or 'Defaults rootpw'. This flaw allows a highly-privileged user who knows one allowed account password to run commands as any other account permitted by policy without knowing those other passwords, effectively bypassing intended authentication requirements.


How can this vulnerability impact me? :

The vulnerability can allow a user with elevated sudo privileges and knowledge of one account password to execute commands as other accounts without needing their passwords. This can lead to unauthorized privilege escalation and execution of commands as root or other users, potentially compromising system security.


What immediate steps should I take to mitigate this vulnerability?

Upgrade sudo-rs to version 0.2.10 or later, as this version contains the patch that fixes the vulnerability. Additionally, review and adjust the use of `Defaults targetpw` or `Defaults rootpw` options in your sudo-rs configuration to ensure they are not causing unintended authentication bypasses.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart