CVE-2025-64170 is a security vulnerability identified in the sudo-rs project, a Rust-based memory-safe implementation of the traditional sudo and su utilities. The flaw exists in versions from 0.2.7 up to but not including 0.2.10. When a user begins entering a password but pauses for an extended period without pressing return, a password timeout triggers. Instead of masking the password input as expected, the partially typed password characters are echoed back to the console. This behavior violates secure password input principles (CWE-549: Missing Password Field Masking). The exposure of partial passwords on screen or in terminal history files can facilitate social engineering or pass-by attacks, where an attacker physically or remotely observes the terminal to capture sensitive information. Exploitation requires local privileged user access and user interaction (typing a password). The vulnerability does not affect confidentiality through remote exploitation but poses a risk in environments where terminals are shared, monitored, or recorded. The issue was addressed and fixed in sudo-rs version 0.2.10. No known exploits are reported in the wild as of the publication date. The CVSS v3.1 score is 3.8, reflecting low severity due to the requirement for local privileged access and user interaction, but with a high confidentiality impact if exploited.

For European organizations, the primary impact is the potential leakage of partial passwords during sudo-rs password entry, which could lead to credential compromise if attackers gain physical or remote access to terminals. This risk is heightened in environments with shared workstations, remote desktop sessions, or where screen content is recorded or monitored. Confidentiality is the main concern, as partial password exposure can enable social engineering or offline password guessing attacks. Integrity and availability are not directly impacted. Organizations relying on sudo-rs for privilege escalation in critical systems could face increased risk of unauthorized access if attackers leverage leaked password fragments. The vulnerability is less impactful in strictly controlled environments with individual terminal use and strong session security. However, in sectors like finance, government, or critical infrastructure within Europe, where privileged access controls are stringent, even low-severity leaks can have cascading effects. The lack of known exploits reduces immediate risk but does not eliminate the need for remediation.

European organizations should upgrade all sudo-rs installations to version 0.2.10 or later to eliminate the vulnerability. Until upgrades are applied, enforce strict terminal session security policies: restrict physical and remote access to terminals, disable screen sharing or recording during password entry, and educate users to avoid pausing during password input. Implement session timeout and lock policies to minimize exposure windows. Review and sanitize shell history configurations to prevent password fragments from being stored. Consider deploying multi-factor authentication to reduce reliance on password secrecy alone. Monitor privileged user activity logs for unusual behavior that might indicate exploitation attempts. For environments where sudo-rs is critical, conduct regular audits and penetration tests focusing on terminal security and password handling. Finally, maintain awareness of updates from trifectatechfoundation and related security advisories.