CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-5791: Users: `root` appended to group listings

Description

A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list.

Classification

CVE ID: CVE-2025-5791

Problem Types

Incorrect Privilege Assignment

Affected Products

Vendor: Red Hat

Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 9, Red Hat OpenShift Container Platform 4, Red Hat Trusted Profile Analyzer

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.01% (probability of being exploited)

EPSS Percentile: 0.24% (scored less or equal to compared to others)

EPSS Date: 2025-06-27 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-5791
https://access.redhat.com/security/cve/CVE-2025-5791
https://bugzilla.redhat.com/show_bug.cgi?id=2370001
https://crates.io/crates/users
https://github.com/ogham/rust-users/issues/44
https://rustsec.org/advisories/RUSTSEC-2025-0040.html

Timeline

2025-06-06 14:40:22 UTC
CVE

Users: `root` appended to group listings
2025-06-07 00:15:22 UTC
Github Advisory Database (Rust)

[users] Duplicate Advisory: users may append `root` to group listings