Techly NewsGet the app

Get the latest tech news

Déjà vu: Ghostly CVEs in my terminal title


xploring a security bug in Ghostty that is eerily familiar. As I've spoken and written about all modern terminals are actually "emulating" something dating from the 1970s.

One aspect of this attack that isn't immediately clear is the input goes via your terminal, so it's like you typed it, even if you're connected to a remote system via SSH. If for some reason you can't upgrade, the advisory has a workaround where a fixed title will not let an attacker control the value reported back. This isn't as complete as the Zsh mitigation, as you could still be blindly tricked to press Enter and run an unexpected command, but it works for this particular issue in Ghostty.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Déjà vu

Déjà vu

Photo of terminal title

terminal title

Photo of Ghostly CVEs

Ghostly CVEs

« Bench.co acquired after informing staff company was insolvent
30 years ago Tomorrow's World predicted 2025 - how did it do? »