CVE-2025-5791: 
Rust vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-5791) was discovered in the user's crate for Rust, reported on June 3, 2025. The vulnerability affects versions 0.8.0 and later of the crate, causing incorrect group listing behavior that could lead to privilege escalation. The flaw occurs when a user or process has fewer than exactly 1024 groups, resulting in the erroneous inclusion of the root group in the access list (NVD, RustSec).

The vulnerability stems from a buffer handling issue in the groupaccesslist() function. When retrieving group listings, the function creates a fixed-size vector of 1024 elements initialized to zero and processes all elements regardless of the actual number of groups returned by libc::getgroups. This implementation flaw causes the root group to be incorrectly appended to group listings. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (NVD, GitHub Issue).

The vulnerability affects two critical security aspects: the supplementary groups of a user and the group access list of the current process. When this information is used for access control decisions, it can lead to privilege escalation as systems may incorrectly grant root group privileges to users or processes that should not have such access (RustSec).

As the crate is currently unmaintained, no official patch is available. The recommended workaround is to downgrade to versions older than 0.8.0, which do not contain the affected functions. Alternatively, users should switch to recommended alternatives such as uzers (an actively maintained fork of the users crate) or sysinfo (RustSec).