-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/ubuntu/authd | go | < 0.5.4 | 0.5.4 |
GoGoMiggo AIRoot Cause AnalysisThe vulnerability (CVE-2025-5689) occurs when a new authd user logs in via SSH for the first time. Such users were incorrectly assigned to the 'root' group (GID 0) for their SSH session. This was due to the temporary user records created during the pre-authentication Name Service Switch (NSS) request not having an explicit Group ID (GID) set.
In Go, uninitialized integer fields (like GID in the types.UserEntry struct) default to their zero value, which is 0. GID 0 is conventionally the GID of the 'root' group.
The analysis of the patch 619ce8e55953b970f1765ddaad565081538151ab reveals that three key functions were responsible for this behavior:
github.com/ubuntu/authd/internal/users/tempentries.preAuthUserEntry: This function creates types.UserEntry for pre-authentication. The patch added GID: user.uid, where previously GID was not set, and a TODO comment indicated awareness of it defaulting to 0.github.com/ubuntu/authd/internal/users/tempentries.userEntry: Similar to preAuthUserEntry, this function creates types.UserEntry for temporary users and also lacked explicit GID assignment prior to the patch.github.com/ubuntu/authd/internal/services/user.(*Service).userPreCheck: This service method returns a types.UserEntry. The patch added u.GID = u.UID, indicating that GID was not set before this change.These functions, in their pre-patch state, would return or use types.UserEntry objects where the GID field was 0. This user entry was then used by the system, leading to the new user being treated as a member of the root group for that session.
The fix involved explicitly setting the GID to be the same as the UID for these temporary/new users, adhering to the User Private Groups (UPG) convention, and ensuring this GID does not conflict with existing groups.
Ongoing coverage of React2Shell