CVE-2025-46717: sudo-rs Allows Low Privilege Users to Discover the Existence of Files in Inaccessible Folders

3.3 CVSS

Description

sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --list `. Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks. Version 0.2.6 fixes the vulnerability.

Classification

CVE ID: CVE-2025-46717

CVSS Base Severity: LOW

CVSS Base Score: 3.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem Types

CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere

Affected Products

Vendor: trifectatechfoundation

Product: sudo-rs

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.01% (probability of being exploited)

EPSS Percentile: 1.4% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-46717
https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8f
https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6

Timeline

2025-05-12 15:40:16 UTC
CVE

sudo-rs Allows Low Privilege Users to Discover the Existence of Files in Inaccessible Folders
2025-05-13 15:15:23 UTC
Github Advisory Database (Rust)

[sudo-rs] sudo-rs Allows Low Privilege Users to Discover the Existence of Files in Inaccessible Folders