Ghostly CVE: A Terminal Emulator Security Bug in Ghostty
2025-01-01
A new terminal emulator, Ghostty, recently released version 1.0. Security researcher David Leadbeater discovered a vulnerability (CVE-2024-56803) similar to a 2003 CVE, allowing attackers to execute arbitrary code by exploiting the terminal's title querying functionality. The vulnerability leverages the in-band signaling nature of terminals and Zsh's behavior in vi mode. Attackers can use crafted escape sequences to execute malicious commands without the user's knowledge, even over SSH. Ghostty 1.0.1 fixes this, users are advised to upgrade or apply mitigations provided in the advisory.
Read more
(dgl.cx)
Development
terminal security