CVE-2025-46717
Last modified
CVE-2025-46717 is a low-severity vulnerability rated 3.3/10 on the CVSS scale. sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --list <pathname>`. EPSS estimates a 0.31% chance of exploitation in the next 30 days.
Description
sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --list <pathname>`. Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks. Version 0.2.6 fixes the vulnerability.
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Trifectatech | Sudo | < 0.2.6 |
References
- https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8fExploit, Vendor Advisory
- https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8fExploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-46717?
How severe is CVE-2025-46717?
How do I fix CVE-2025-46717?
Are you affected by CVE-2025-46717?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST