GHSA-2p6r-x3vv-xqm2

Source

https://github.com/advisories/GHSA-2p6r-x3vv-xqm2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2p6r-x3vv-xqm2/GHSA-2p6r-x3vv-xqm2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2p6r-x3vv-xqm2

Related

CGA-vvpx-6rr4-62xc

Published

2026-05-06T21:49:33Z

Modified

2026-05-07T20:14:22.788471209Z

Severity

3.8 (Low) CVSS_V3 - CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

rpassword affected by partial password reveal when input is interrupted

Details

rpassword maintainers were made aware of a possible issue with a partial password reveal when input is interrupted.

To quote @squell:

@conradkleinespel I've confirmed this problem with SequoiaPGP, which I think uses rpassword, e.g.:

Suppose we use pkill -9 sq in a different terminal right after the password has been typed in:

$ sq key generate --userid "barf" --with-password Enter password to protect the key: Killed $ hello^C

Where the password I typed in is "hello".

This has been fixed in version v7.5.0 and above.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-05-06T21:49:33Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-755"
    ],
    "severity": "LOW",
    "github_reviewed": true
}

References

Affected packages

crates.io / rpassword

Package

Name: rpassword; View open source insights on deps.dev
Purl: pkg:cargo/rpassword

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.5.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2p6r-x3vv-xqm2/GHSA-2p6r-x3vv-xqm2.json"

last_known_affected_version_range

"<= 7.4.0"