GHSA-q428-6v73-fc4q · Severity: medium · Ecosystem: rust — sudo-rs doesn't record authenticating user properly in timestamp
sudo-rs is a memory safe implementation of sudo and su written in Rust. With `Defaults targetpw` (or `Defaults rootpw`) enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. sudo-rs starting in version 0.2.5 and prior to version 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user's UID in the authentication timestamp. Any later `sudo` invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it. A highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don't know the password for those accounts. A common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of `sudo`), effectively negating the intended behaviour of the `targetpw` or `rootpw` options. Version 0.2.10 contains a patch for the issue. Versions prior to 0.2.5 are not affected, since they do not offer `Defaults targetpw` or `Defaults rootpw`.
Conclusion & alert: CVE-2025-64517 is rated Low Risk (19/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.02%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2025-11-13 | — | 0.02% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 4.4 | 3.1 | MEDIUM |
|
0.8 | 3.6 | [email protected] |
GHSA-q428-6v73-fc4q · Severity: medium · Ecosystem: rust — sudo-rs doesn't record authenticating user properly in timestamp
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2025-64517 not yet assigned priority: Debian including 1 source packages (rust-sudo-rs), 3 status rows across 3 suites (forky, sid, trixie): resolved 3. | https://security-tracker.debian.org/tracker/CVE-2025-64517 |
ubuntu
|
medium | CVE-2025-64517 medium priority: Ubuntu including 1 source packages (rust-sudo-rs), 5 status rows across 5 suites (jammy, noble, plucky, questing, upstream): not-affected 2, released 2, DNE 1. | https://ubuntu.com/security/CVE-2025-64517 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||