GHSA-m65q-v92h-cm7q: 
Rust vulnerability analysis and mitigation

A moderate severity vulnerability was identified in the Rust 'users' crate (versions 0.8.0 through 0.11.0) where the package incorrectly appends the root group to group listings. The vulnerability was discovered on January 15, 2025, and officially published to the GitHub Advisory Database on June 5, 2025. This security flaw affects both the supplementary groups of a user and the group access list of the current process (GitHub Advisory, RustSec Advisory).

The vulnerability stems from an implementation flaw in the group listing functionality. When the libc::getgroups function is called, it uses a buffer of 1024 elements initialized to zero. Even when fewer groups are returned (e.g., 42 groups), the code iterates through all 1024 elements. The deduplication process using dedupbykey only removes consecutive duplicate elements, which means non-consecutive appearances of the root group remain in the list. This behavior occurs unless the correct listing contains exactly 1024 groups (GitHub Issue).

The vulnerability can lead to privilege escalation if the affected group listing information is used for access control decisions. Since the root group is incorrectly appended to group listings, systems relying on this information for security decisions may grant unauthorized root-level access (RustSec Advisory).

No patched versions are currently available as the crate is no longer maintained. Users are recommended to either downgrade to versions older than 0.8.0, which do not contain the affected functions, or switch to alternative packages. Recommended alternatives include 'uzers' (an actively maintained fork of the users crate) or 'sysinfo' (RustSec Advisory).