{"id":"RUSTSEC-2025-0040","summary":"`root` appended to group listings","details":"Affected versions append `root` to group listings, unless the correct listing\nhas exactly 1024 groups.\n\nThis affects both:\n\n- The supplementary groups of a user\n- The group access list of the current process\n\nIf the caller uses this information for access control, this may lead to\nprivilege escalation.\n\nThis crate is not currently maintained, so a patched version is not available.\n\nVersions older than 0.8.0 do not contain the affected functions, so downgrading\nto them is a workaround.\n\n## Recommended alternatives\n- [`uzers`](https://crates.io/crates/uzers) (an actively maintained fork of the `users` crate)\n- [`sysinfo`](https://crates.io/crates/sysinfo)","aliases":["CVE-2025-5791","GHSA-m65q-v92h-cm7q"],"modified":"2025-10-28T06:28:57.282109Z","published":"2025-01-15T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/users"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2025-0040.html"},{"type":"REPORT","url":"https://github.com/ogham/rust-users/issues/44"}],"affected":[{"package":{"name":"users","ecosystem":"crates.io","purl":"pkg:cargo/users"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.8.0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"os":[],"functions":[],"arch":[]}},"database_specific":{"informational":null,"cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0040.json","categories":["privilege-escalation"]}}],"schema_version":"1.7.3"}