CVE-2025-64170

12.11.2025, 21:15

sudo-rs is a memory safe implementation of sudo and su written in Rust. Starting in version 0.2.7 and prior to version 0.2.10, if a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console. This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks. Version 0.2.10 fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.8 LOW	PHYSICAL	HIGH	HIGH	CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
GitHub_M	CNA	3.8 LOW	PHYSICAL	HIGH	HIGH	CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

rust-sudo-rs

trixie	vulnerable
trixie (security)	0.2.5-5+deb13u1 fixed
forky	0.2.10-1 fixed
sid	0.2.10-1 fixed

Common Weakness Enumeration

CWE-549 - Missing Password Field Masking
The software does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.

References

https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10

https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw