GHSA-2p6r-x3vv-xqm2: rpassword affected by partial password reveal when input is interrupted

May 6, 2026

rpassword maintainers were made aware of a possible issue with a partial password reveal when input is interrupted.

To quote @squell:

@conradkleinespel I’ve confirmed this problem with SequoiaPGP, which I think uses rpassword, e.g.:
Suppose we use pkill -9 sq in a different terminal right after the password has been typed in:
$ sq key generate –userid “barf” –with-password Enter password to protect the key: Killed $ hello^C
Where the password I typed in is “hello”.

This has been fixed in version v7.5.0 and above.

References

github.com/advisories/GHSA-2p6r-x3vv-xqm2
github.com/conradkleinespel/rpassword
github.com/conradkleinespel/rpassword/releases/tag/v7.5.0
github.com/conradkleinespel/rpassword/security/advisories/GHSA-2p6r-x3vv-xqm2

Code Behaviors & Features

Detect and mitigate GHSA-2p6r-x3vv-xqm2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →