Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🦀 crates.io

GHSA-2j3p-gqw5-g59j

HIGH

theshit's Improper Privilege Dropping Allows Local Privilege Escalation via Command Re-execution

Also known asCVE-2026-21882
Published
Mar 2, 2026
Updated
Mar 4, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.2%probability of exploitation in next 30 days
Lower Risk7th percentile+0.16%
0.00%0.23%0.45%0.68%0.0%0.0%0.0%0.2%Apr 26Jun 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🦀theshit

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.

Description

Impact

Vulnerability Type: Local Privilege Escalation (LPE) / Improper Privilege Management / Arbitrary Command Execution.

The application automatically re-executes the previously failed command but does not properly drop elevated privileges during this process.

When the tool is executed with sudo or otherwise runs with an effective UID of root, it records the last executed command and attempts to rerun it. However, the application fails to restore the original unprivileged user context before re-executing the command. As a result, the retried command is executed with root privileges, even if the original command was issued by an unprivileged user.

This allows a local attacker to intentionally trigger a failed command under elevated execution and gain arbitrary command execution as root via the retry mechanism.

Who is impacted: Any system where this tool is executed with elevated privileges is affected. The risk is especially high in environments where the tool is permitted to run via sudo, including configurations with NOPASSWD, as an unprivileged user can escalate privileges to root without additional interaction.

Proof of Concept

To verify the vulnerability without a shell, attempt to create a file in a root-protected directory.

1. Verify the file does not exist

sudo ls /root/proof_of_lpe
# Output: No such file or directory

2. Run the vulnerable command

sudo bash -c "SH_PREV_CMD='touch /root/proof_of_lpe' target/release/theshit fix"

3. Check if the file was created by root

sudo ls -l /root/proof_of_lpe

Expected Result: The command succeeds silently, and the file /root/proof_of_lpe is created, confirming arbitrary command execution with root privileges.

Patches

The issue has been fixed in version 0.1.2.

The patch ensures that privilege levels are correctly handled during command re-execution. Before retrying any previously executed command, the application now explicitly resets the effective UID and GID to the original invoking user.

Workarounds

If upgrading is not possible, users should avoid executing the application with sudo or as the root user.

As a temporary mitigation, administrators should restrict the use of the tool in privileged contexts and ensure it is not included in sudoers configurations, particularly with NOPASSWD. Running the tool strictly as an unprivileged user prevents exploitation of the retry mechanism.

References

  • Commit fixing the issue
  • CWE-269: Improper Privilege Management
  • CWE-273: Improper Check for Dropped Privileges
  • CWE-250: Execution with Unnecessary Privileges

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🦀crates.iotheshitall versions0.2.0

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for theshit. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update theshit to 0.2.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-2j3p-gqw5-g59j is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-2j3p-gqw5-g59j is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-2j3p-gqw5-g59j. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact **Vulnerability Type:** Local Privilege Escalation (LPE) / Improper Privilege Management / Arbitrary Command Execution. The application automatically re-executes the previously failed command but does not properly drop elevated privileges during this process. When the tool is executed with `sudo` or otherwise runs with an effective UID of root, it records the last executed command and attempts to rerun it. However, the application fails to restore the original unprivileged user context before re-executing the command. As a result, the retried command is executed with root privile
O3 Security · Impact-Aware SCA

Is GHSA-2j3p-gqw5-g59j in your dependencies?

O3 detects GHSA-2j3p-gqw5-g59j across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works