Impact
Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments.
In testing, only Bash and Zsh were affected. Fish and Nu were resilient to the attacks. I'm not completely confident that they're fully resilient, but I was not able to generate a PoC to exercise the vulnerability.
This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex.
Patches
Fixed in Ghostty v1.3.0.
The fix follows xterm's behavior by replacing problematic control characters with spaces. These are characters that in general should not be present in any valid paste. Non-problematic control characters such as tabs are not replaced. And suspicious but not necessarily problematic characters such as newlines are allowed within bracketed paste and with confirmation outside of bracketed paste (continuing the already-present behavior from prior Ghostty versions).
PR: #10746
Workarounds
There are no workarounds.
To prevent this in affected versions, users must manually inspect and sanitize all clipboard contents and draggable content such as file and folder names. There is no configuration that can be used to prevent this.
References
shibaaa204 Reporter
Impact
Ghostty allows control characters such as
0x03(Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments.In testing, only Bash and Zsh were affected. Fish and Nu were resilient to the attacks. I'm not completely confident that they're fully resilient, but I was not able to generate a PoC to exercise the vulnerability.
This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex.
Patches
Fixed in Ghostty v1.3.0.
The fix follows xterm's behavior by replacing problematic control characters with spaces. These are characters that in general should not be present in any valid paste. Non-problematic control characters such as tabs are not replaced. And suspicious but not necessarily problematic characters such as newlines are allowed within bracketed paste and with confirmation outside of bracketed paste (continuing the already-present behavior from prior Ghostty versions).
PR: #10746
Workarounds
There are no workarounds.
To prevent this in affected versions, users must manually inspect and sanitize all clipboard contents and draggable content such as file and folder names. There is no configuration that can be used to prevent this.
References