Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-m65q-v92h-cm7q: users may append `root` to group listings

Affected versions append root to group listings, unless the correct listing has exactly 1024 groups.

This affects both:

  • The supplementary groups of a user
  • The group access list of the current process

If the caller uses this information for access control, this may lead to privilege escalation.

This crate is not currently maintained, so a patched version is not available.

Versions older than 0.8.0 do not contain the affected functions, so downgrading to them is a workaround.

Recommended alternatives

  • uzers (an actively maintained fork of the users crate)
  • sysinfo
ghsa
Open in Source

Affected versions append root to group listings, unless the correct listing has exactly 1024 groups.

This affects both:

  • The supplementary groups of a user
  • The group access list of the current process

If the caller uses this information for access control, this may lead to privilege escalation.

This crate is not currently maintained, so a patched version is not available.

Versions older than 0.8.0 do not contain the affected functions, so downgrading to them is a workaround.

Recommended alternatives

  • uzers (an actively maintained fork of the users crate)
  • sysinfo

References

  • ogham/rust-users#44
  • https://rustsec.org/advisories/RUSTSEC-2025-0040.html

ghsa: Latest News

GHSA-98j6-67v3-mw34: Auth0 Symfony SDK Deserialization of Untrusted Data vulnerability
ghsa