Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 15 Jun 2024 11:37:39 +1000
From: David Leadbeater <>
Cc: George Nachman <>
Subject: iTerm2 3.5.x title reporting bug


I discovered iTerm2 versions 3.5.0 and 3.5.1 (and some beta versions)
have a bug where the preference for whether title reporting is enabled
is not respected -- the result is title reporting is always enabled*.

This is fixed by iTerm2 3.5.2, available from -- automatic updates should prompt
you to install this version. There is no CVE yet, this is essentially
another variant of CVE-2003-0063...

To test if you're vulnerable:
printf '\e]0;ivulnerable\a\e[21t'

If you have some of all of the string "vulnerable" (but not just "l")
in your input buffer, you're vulnerable. (You can also test via ssh, which does a variant of the above test and others
over SSH, source code at

This is not trivially exploitable (at least in a way that works
without user interaction), as it is not possible to echoback a newline
or control characters. However as Zsh is the default shell on macOS it
may be possible to use some of the vi techniques like I used in xterm
CVE-2022-45063[1]. Some of the techniques in solid-snail's previous
iTerm2 research[2] could apply too. So treat this as potential remote
code execution.


*: Unless you change the advanced setting "Disable potentially
insecure escape sequences" -- which works as a mitigation too, but
disables shell integration and some other features.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.