CVE-2025-46717 is a vulnerability identified in sudo-rs, a Rust-based, memory-safe implementation of the widely used sudo and su utilities. The flaw exists in versions prior to 0.2.6 and allows users with limited or no sudo privileges but with local access to a system to determine the existence or non-existence of files in directories they are otherwise unauthorized to access. This is achieved through the sudo command option '--list <pathname>', which leaks information about file presence. The vulnerability is categorized under CWE-497, which pertains to the exposure of sensitive system information to unauthorized control spheres. Although the vulnerability does not allow direct access to file contents or modification, it reveals potentially sensitive metadata such as file names and directory structure. This information disclosure could be leveraged by attackers to facilitate other attacks, such as privilege escalation, targeted exploitation, or reconnaissance to identify sensitive files or configurations. The issue was addressed and fixed in sudo-rs version 0.2.6. The CVSS 3.1 base score is 3.3, indicating a low severity, with an attack vector limited to local access (AV:L), low attack complexity (AC:L), requiring some privileges (PR:L), no user interaction (UI:N), and only impacting confidentiality (C:L) without affecting integrity or availability. No known exploits are reported in the wild at this time.

For European organizations, the impact of this vulnerability is relatively limited but non-negligible. Since exploitation requires local access and some level of privileges, the risk is primarily from insider threats or attackers who have already compromised a low-privilege account on a system running vulnerable sudo-rs versions. The information disclosure could aid attackers in mapping sensitive files or configurations, potentially accelerating lateral movement or privilege escalation within the network. Organizations handling sensitive data or critical infrastructure should be cautious, as even minor leaks can be leveraged in multi-stage attacks. The vulnerability does not directly compromise system integrity or availability, but the confidentiality breach could expose operational details or security configurations. Given the increasing adoption of Rust-based tools for security and system utilities in Europe, especially in sectors emphasizing memory safety, the presence of sudo-rs in production environments could be growing, thus increasing exposure. However, the low CVSS score and absence of known exploits suggest a moderate immediate risk, with the main concern being the potential use of this information in conjunction with other vulnerabilities or attack vectors.

European organizations should prioritize upgrading sudo-rs to version 0.2.6 or later to remediate this vulnerability. In environments where sudo-rs is deployed, conduct an inventory to identify affected versions and systems. Restrict local access to systems running sudo-rs to trusted personnel only, employing strict access controls and monitoring. Implement robust logging and anomaly detection to identify unusual usage of sudo commands, particularly '--list' invocations by low-privilege users. Employ the principle of least privilege to minimize the number of users with any sudo capabilities. Where possible, consider additional sandboxing or containerization of services using sudo-rs to limit the impact of potential information disclosure. Regularly review and audit file and directory permissions to reduce the sensitivity of exposed file names. Finally, integrate this vulnerability into organizational risk assessments and incident response plans to ensure preparedness for potential exploitation scenarios.