CVE-2025-64170: 
Rust vulnerability analysis and mitigation

sudo-rs, a memory safe implementation of sudo and su written in Rust, contains a vulnerability (CVE-2025-64170) discovered in versions 0.2.7 through 0.2.10. The vulnerability occurs when a user begins entering a password but does not press return for an extended period, causing a password timeout. When this timeout occurs, the previously entered keystrokes are echoed back to the console, potentially exposing sensitive password information (GitHub Advisory, NVD).

The vulnerability is tracked as CWE-549 (Missing Password Field Masking) with a CVSS v3.1 base score of 3.8 (Low). The CVSS vector is CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N, indicating physical access is required, with high attack complexity, high privileges required, and user interaction needed. The vulnerability was caused by a mishandling of terminal modes during password input with a timeout, specifically when the code did not disable the terminal's canonical mode (Miggo).

The vulnerability could reveal partial password information, potentially exposing history files when not carefully handled by the user. This information could be leveraged for Social Engineering or Pass-By attacks. The impact is primarily focused on confidentiality, with no direct effect on system integrity or availability (GitHub Advisory).

The vulnerability has been fixed in version 0.2.10 of sudo-rs. Users are advised to upgrade to this version or later. The fix addresses the issue by ensuring that canonical mode is always disabled when reading a password, regardless of whether visual feedback is enabled (GitHub Release).

The vulnerability was discovered and reported by @DevLaTron, and the fix was developed with contributions from multiple developers including @bjorn3, @squell, and @MggMuggins (GitHub Advisory).