GHSA-c978-wq47-pvvw
sudo-rs: Partial password reveal is possible after timeout
Details
### Summary If a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console.
### Example Using sudo-rs: ``` geiger@cerberus:~$ sudo -s [sudo: authenticate] Password: sudo-rs: timed out geiger@cerberus:~$ testtesttest ```
"testtesttest" was entered at the password prompt but not confirmed by pressing return and then waiting for the timeout.
### Impact This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks.
### Versions affected Passwords timeouts were added in sudo-rs 0.2.7 (with a default set to 5 minutes).
### Credits This issue was discovered and reported by @DevLaTron.
Are you affected?
Enter the version of the package you're using.
Affected packages
0.2.7 Fixed in: 0.2.10 Upgrade sudo-rs to 0.2.10 or newer (ecosystem crates.io).
References
- https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-64170 [ADVISORY]
- https://github.com/trifectatechfoundation/sudo-rs/commit/0e3d3837aec3ee9fb5dcb8bfe11e8adb367f58f4 [WEB]
- https://github.com/trifectatechfoundation/sudo-rs [PACKAGE]
- https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10 [WEB]