Ghostty Control Character Injection Vulnerability Allowing Arbitrary Command Execution

A vulnerability in Ghostty, a cross-platform terminal emulator, allows control characters such as Ctrl+C to be included in pasted or dropped text. This can lead to the execution of arbitrary commands in certain shell environments, specifically Bash and Zsh. The issue arises because these control characters can be used to manipulate command input, but they are typically invisible in most graphical user interface settings, making the vulnerability difficult to detect. Exploitation requires user interaction to copy and paste or drag and drop the malicious text.

Impact

Exploitation of this vulnerability could result in arbitrary command execution, particularly in Bash and Zsh shell environments.

Reproduction

To reproduce this vulnerability, paste or drop text containing control characters, such as Ctrl+C, into a terminal session running Ghostty version 1.2.3 or earlier. The control characters will be processed by the shell, potentially leading to the execution of commands. This can be done by copying text that includes these characters and pasting it into the terminal, or by dragging and dropping files or folders that contain the malicious text.

Remediation

Users can update to Ghostty version 1.3.0, which addresses the vulnerability by replacing problematic control characters with spaces, following the behavior of xterm. There are no additional workarounds available.