VDB
KO

RUSTSEC-2025-0040

`root` appended to group listings

Details

Affected versions append `root` to group listings, unless the correct listing has exactly 1024 groups.

This affects both:

- The supplementary groups of a user - The group access list of the current process

If the caller uses this information for access control, this may lead to privilege escalation.

This crate is not currently maintained, so a patched version is not available.

Versions older than 0.8.0 do not contain the affected functions, so downgrading to them is a workaround.

## Recommended alternatives - [`uzers`](https://crates.io/crates/uzers) (an actively maintained fork of the `users` crate) - [`sysinfo`](https://crates.io/crates/sysinfo)

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / users
Introduced in: 0.8.0

No fixed version published yet for users. Pin to a known-safe version or switch to an alternative.

References