An issue was discovered in iTerm2 3.5.x before 3.5.2. Unfiltered use of an escape sequence to report a window title, in combination with the built-in tmux integration feature (enabled by default), allows an attacker to inject arbitrary code into the terminal, a different vulnerability than CVE-2024-38395.
The iTerm2 application does not properly filter escape sequences used for reporting the terminal window title. When the built-in tmux integration is active (enabled by default), a specially crafted escape sequence can be used to inject and execute arbitrary commands in the context of the user's terminal. The vulnerability is classified as CWE-94 (Improper Control of Code Generation), indicating lack of proper control over generated or interpreted code.
An attacker can execute arbitrary code in the victim's terminal without authentication, which may lead to complete takeover of the terminal session and potentially the entire user's operating system.
Update iTerm2 to version 3.5.2 or newer. A patch is available on the official vendor website (iterm2.com/downloads.html). Until updating, consider disabling the built-in tmux integration.
iTerm2 versions 3.5.x prior to 3.5.2 with active tmux integration (enabled by default).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIterm2
APPIterm23.5.0 – 3.5.2 (bez)
Related vulnerabilities
iTerm2: wyciek danych z poleceń terminalowych przez plik /tmp/framer.txt
iTerm2: RCE przez niezastosowanie ustawienia tytułu okna terminala
iTermSessionLauncher.m in iTerm2 before 3.5.0beta12 does not sanitize paths in x-man-page URLs. They may have ...
iTermSessionLauncher.m in iTerm2 before 3.5.0beta12 does not sanitize ssh hostnames in URLs. The hostname's in...
iTerm2 before 3.4.20 allow (potentially remote) code execution because of mishandling of certain escape sequen...