CVE-2025-64170

EUVD-2025-131955
sudo-rs is a memory safe implementation of sudo and su written in Rust. Starting in version 0.2.7 and prior to version 0.2.10, if a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console. This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks. Version 0.2.10 fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.8 LOW
PHYSICAL
HIGH
HIGH
CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
GitHub_MCNA
3.8 LOW
PHYSICAL
HIGH
HIGH
CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Debian logo
Debian Releases
Debian Product
Codename
rust-sudo-rs
forky
0.2.10-1
fixed
sid
0.2.10-1
fixed
trixie
0.2.5-5+deb13u1
fixed
trixie (security)
0.2.5-5+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rust-sudo-rs
jammy
dne
noble
not-affected
plucky
not-affected
questing
Fixed 0.2.8-1ubuntu5.2
released
Common Weakness Enumeration
References
https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10
https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw