RUSTSEC-2025-0040
`root` appended to group listings
Details
Affected versions append `root` to group listings, unless the correct listing has exactly 1024 groups.
This affects both:
- The supplementary groups of a user - The group access list of the current process
If the caller uses this information for access control, this may lead to privilege escalation.
This crate is not currently maintained, so a patched version is not available.
Versions older than 0.8.0 do not contain the affected functions, so downgrading to them is a workaround.
## Recommended alternatives - [`uzers`](https://crates.io/crates/uzers) (an actively maintained fork of the `users` crate) - [`sysinfo`](https://crates.io/crates/sysinfo)
Are you affected?
Enter the version of the package you're using.
Affected packages
0.8.0 No fixed version published yet for users. Pin to a known-safe version or switch to an alternative.
References
- https://crates.io/crates/users [PACKAGE]
- https://rustsec.org/advisories/RUSTSEC-2025-0040.html [ADVISORY]
- https://github.com/ogham/rust-users/issues/44 [REPORT]