CVE-2025-58160
BaseFortify
Publication date: 2025-08-29
Last updated on: 2025-09-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tokio-rs | tracing-subscriber | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-150 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the tracing-subscriber Rust library prior to version 0.3.20. It allows untrusted user input containing ANSI escape sequences to be injected into terminal output when logged. This can enable attackers to manipulate terminal display elements such as title bars, clear screens, or modify what is shown on the terminal, potentially misleading users through terminal manipulation.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to manipulate terminal output by injecting ANSI escape sequences. This could lead to misleading terminal displays, such as changing terminal titles or clearing screens, which may confuse or deceive users. It could impact the integrity of terminal logs and potentially be used in social engineering or other attacks that rely on terminal manipulation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update tracing-subscriber to version 0.3.20 or later, which escapes ANSI control characters when writing events to terminal destinations. As a workaround, avoid printing logs to terminal emulators without escaping ANSI control sequences.