UBUNTU-CVE-2025-58160

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2025-58160
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-58160.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2025-58160
Upstream
Published
2025-08-29T22:15:00Z
Modified
2025-09-03T17:51:45Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to manipulate terminal title bars, clear screens or modify terminal display, and potentially mislead users through terminal manipulation. tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters when writing events to destinations that may be printed to the terminal. A workaround involves avoiding printing logs to terminal emulators without escaping ANSI control sequences.

References

Affected packages

Ubuntu:24.04:LTS / rust-tracing-subscriber

Package

Name
rust-tracing-subscriber
Purl
pkg:deb/ubuntu/rust-tracing-subscriber@0.3.18-2?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.3.17-1
0.3.18-1
0.3.18-2

Ubuntu:25.04 / rust-tracing-subscriber

Package

Name
rust-tracing-subscriber
Purl
pkg:deb/ubuntu/rust-tracing-subscriber@0.3.18-4?arch=source&distro=plucky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.3.18-4