RCE in Ghostty-org Ghostty

CVE-2024-56803

Ghostty is a cross-platform terminal emulator. Ghostty, as allowed by default in 1.0.0, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.004 (59.8th percentile) — read the EPSS interpretation.

Affected products

Ghostty-org Ghostty — versions < 1.0.1

Weakness classification (CWE)

CWE-94 — Code Injection

References

https://github.com/ghostty-org/ghostty/security/advisories/GHSA-5hcq-3j4q-4v6p (x_refsource_CONFIRM)
https://github.com/ghostty-org/ghostty/pull/3908 (x_refsource_MISC)