GHSA-q428-6v73-fc4q
MEDIUMsudo-rs doesn't record authenticating user properly in timestamp
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
sudo-rsReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.
Description
Summary
When Defaults targetpw (or Defaults rootpw) is enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. sudo-rs prior to 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user's UID in the authentication timestamp. Any later sudo invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it.
Impact
A highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don't know the password for those accounts.
A common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of sudo), effectively negating the intended behaviour of the targetpw or rootpw options.
Example
With this in /etc/sudoers:
Defaults targetpw
user ALL=(ALL:ALL) ALL
First run:
user@machine$ sudo -g root whoami
[sudo: authenticate] Password: <password for user>
user
Then run:
user@machine$ sudo -u root whoami
root
Affected versions
sudo-rs prior to 0.2.5 are not affected, since they do not offer Defaults targetpw or Defaults rootpw.
Credits
This issue was discovered and reported by @Pingasmaster.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🦀crates.io | sudo-rs | ≥ 0.2.5&&< 0.2.10 | 0.2.10 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for sudo-rs. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update sudo-rs to 0.2.10 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-q428-6v73-fc4q is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-q428-6v73-fc4q is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-q428-6v73-fc4q. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-q428-6v73-fc4q in your dependencies?
O3 detects GHSA-q428-6v73-fc4q across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.