Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-46717

sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --list <pathname>`. Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks. Version 0.2.6 fixes the vulnerability.

Published

2025-05-12T15:16:01.260

Last Modified

2025-07-09T01:51:08.943

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 3.3 (LOW)

Weaknesses

Type: Secondary
CWE-497
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	trifectatech	sudo	< 0.2.6	Yes

References

https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6 Release Notes ([email protected])
https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8f Exploit, Vendor Advisory ([email protected])
https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8f Exploit, Vendor Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)