CVE-2025-32462: 
NixOS vulnerability analysis and mitigation

Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines. The vulnerability was discovered in June 2025 and affects sudo versions 1.8.8 through 1.9.17. This security flaw has been assigned CVE-2025-32462 and carries a CVSS base score of 2.8 (LOW) (MITRE, Sudo Advisory).

The vulnerability stems from sudo's host (-h or --host) option, which was intended only for use with the list option (-l or --list) to display privileges on other hosts. Due to a bug, this option was not properly restricted and could be used when executing commands or editing files. The flaw allows users to bypass host-specific restrictions in the sudoers file by specifying a different host using the -h option, effectively making the hostname portion of sudoers rules irrelevant (Oligo Security, Sudo Advisory).

The vulnerability enables users with sudo access on one host to potentially execute commands on any other host where they have sudo privileges, even if the current host is not explicitly authorized. This primarily affects organizations using common sudoers files distributed across multiple machines or LDAP-based sudoers configurations (Openwall).

The vulnerability has been fixed in sudo version 1.9.17p1. Organizations should update to this version or apply distribution-specific patches. For systems that cannot be immediately updated, administrators should review host-specific rules in sudoers files and consider converting them to group-based or tag-based controls where possible. The fix ensures the -h option is rejected unless used with the -l option (Oligo Security).

Major Linux distributions including Ubuntu, Debian, and Red Hat have released security advisories and patches for their respective versions. Security researchers have emphasized the importance of prompt patching, particularly for organizations using distributed sudoers configurations (SecPod).