CVE-2019-25016

high

Published — · Modified —

CVSS v3

—

CVSS v2

—

VIR risk

8.0

Description

In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed to authenticated user to execute specific commands were not affected by this issue.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2019-25016

vendor Authored 2026-05-27

Vendor advisory: arch — https://security.archlinux.org/ASA-202102-8

OS impact

OS	Version	Status	Fixed in
arch		fixed	`6.8.1-2`
debian	bullseye	fixed	`0`

References

https://security.archlinux.org/ASA-202102-8
https://security-tracker.debian.org/tracker/CVE-2019-25016

Verify integrity in audit chain (admin only). AS-IS.