The vulnerability identified as CVE-2025-64170 affects sudo-rs, a memory-safe Rust implementation of the traditional sudo and su commands used for privilege escalation on Unix-like systems. Specifically, in versions 0.2.7 through 0.2.9, if a user starts typing their password but does not press the return key promptly, a password timeout mechanism triggers. Instead of masking the password input as is standard practice, the partially typed password characters are echoed back to the console. This behavior violates the principle of password field masking (CWE-549), potentially exposing sensitive password fragments to anyone observing the terminal or through residual data in shell history files if the user inadvertently saves such input. The exposure is limited to partial passwords and requires the user to delay input, but it nonetheless increases the risk of credential leakage through shoulder surfing, social engineering, or physical pass-by attacks. The vulnerability does not affect the confidentiality of the entire password if the user completes input normally and presses return promptly. The issue was addressed and fixed in sudo-rs version 0.2.10. The CVSS v3.1 score of 3.8 reflects a low severity due to the requirement for local privileges, user interaction, and the limited scope of impact (confidentiality only, no integrity or availability impact). No public exploits have been reported to date.

For European organizations, the impact of this vulnerability is generally low but non-negligible in environments where sudo-rs is deployed and used interactively by privileged users. Exposure of partial password input could lead to credential compromise if attackers have physical or remote access to terminals or if users inadvertently save terminal output or history files containing echoed passwords. This risk is heightened in shared or public workspaces, or in organizations with lax terminal security policies. While the vulnerability does not allow direct privilege escalation or system compromise, it undermines password confidentiality and could facilitate targeted social engineering or pass-by attacks. Organizations with high-security requirements or those handling sensitive data should consider the risk more seriously. The lack of known exploits and the requirement for local user interaction reduce the immediacy of the threat, but the vulnerability should be remediated promptly to maintain best security practices.

European organizations should upgrade all sudo-rs deployments to version 0.2.10 or later to eliminate this vulnerability. Until upgrades are applied, users should be trained to avoid delaying password entry and to ensure they press return promptly to prevent timeout-triggered echoing. Terminal sessions should be secured to prevent unauthorized observation, including use of privacy screens and restricting physical access. Organizations should audit shell history configurations to ensure that password inputs or terminal outputs are not inadvertently logged or saved. Implementing session timeout policies and terminal locking can reduce the risk of pass-by attacks. Monitoring for unusual terminal activity or user reports of unexpected password echoes can help detect exploitation attempts. Finally, organizations should consider whether sudo-rs is appropriate for their environment or if traditional sudo implementations with mature security controls are preferable.