CVE-2025-58160
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-29

Last updated on: 2025-09-02

Assigner: GitHub, Inc.

Description
tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to manipulate terminal title bars, clear screens or modify terminal display, and potentially mislead users through terminal manipulation. tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters when writing events to destinations that may be printed to the terminal. A workaround involves avoiding printing logs to terminal emulators without escaping ANSI control sequences.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-29
Last Modified
2025-09-02
Generated
2026-06-16
AI Q&A
2025-08-30
EPSS Evaluated
2026-06-14
NVD
CVE-2025-58160
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tokio-rs tracing-subscriber *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the tracing-subscriber Rust library prior to version 0.3.20. It allows untrusted user input containing ANSI escape sequences to be injected into terminal output when logged. This can enable attackers to manipulate terminal display elements such as title bars, clear screens, or modify what is shown on the terminal, potentially misleading users through terminal manipulation.

Impact Analysis

If exploited, this vulnerability can allow attackers to manipulate terminal output by injecting ANSI escape sequences. This could lead to misleading terminal displays, such as changing terminal titles or clearing screens, which may confuse or deceive users. It could impact the integrity of terminal logs and potentially be used in social engineering or other attacks that rely on terminal manipulation.

Mitigation Strategies

To mitigate this vulnerability, update tracing-subscriber to version 0.3.20 or later, which escapes ANSI control characters when writing events to terminal destinations. As a workaround, avoid printing logs to terminal emulators without escaping ANSI control sequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58160. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart