Conversation
Fixes a security vulnerability where ANSI escape sequences in user input
could be injected into terminal output, potentially allowing attackers to
manipulate terminal behavior through log messages and error displays.
The vulnerability occurred when user-controlled content was formatted using
Display (`{}`) instead of Debug (`{:?}`) formatting, allowing raw ANSI
sequences to pass through unescaped.
Changes:
- Add streaming ANSI escape wrapper to avoid string allocations
- Escape message content in default and pretty formatters
- Escape error Display content in all error formatting paths
- Add comprehensive integration tests for all formatter types
The fix specifically targets untrusted user input while preserving the
ability for applications to deliberately include formatting in trusted
contexts like thread names.
Security impact: Prevents terminal injection attacks such as title bar
manipulation, screen clearing, and other malicious terminal control
sequences that could be injected through log messages.
carllerche
changed the title
hawkw
approved these changes
Aug 29, 2025
|
@carllerche can you elaborate on "while preserving the ability for applications to deliberately include formatting in trusted contexts"? I have hundreds (thousands?) of traces with For example: info!("This is red: {}", "color test".red());now escapes the color sequence despite Thanks! Edit: Looking at the PR, does this still accomplish what you're looking for if Created followup issue: Regression: New tracing-subscriber breaks ANSI color and styling support |
samchesney
added a commit
to graphcore-research/gwr
that referenced
this pull request
Sep 2, 2025
Update all dependencies to latest compatible versions.
This resolves the following crate vulnerability error:
```
error[vulnerability]: Logging user input may result in poisoning logs with ANSI escape sequences
┌─ /Volumes/scratch/repos/steam/Cargo.lock:251:1
│
251 │ tracing-subscriber 0.3.19 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2025-0055
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0055
├ Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:
- Manipulate terminal title bars
- Clear screens or modify terminal display
- Potentially mislead users through terminal manipulation
In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.
This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input.
├ Announcement: GHSA-xwfj-jgwm-7wp5
├ Solution: Upgrade to >=0.3.20 (try `cargo update -p tracing-subscriber`)
├ tracing-subscriber v0.3.19
└── loom v0.5.6
└── state v0.6.0
├── rocket v0.5.1
│ └── steam-spotter v0.3.0
└── rocket_http v0.5.1
├── rocket v0.5.1 (*)
└── rocket_codegen v0.5.1
└── rocket v0.5.1 (*)
advisories FAILED, bans ok, licenses ok, sources ok
```
jo
added a commit
to jo/application-services
that referenced
this pull request
Sep 2, 2025
Fixing the following error when integrating the code on desktop: ``` TEST-UNEXPECTED-ERROR | /builds/worker/checkouts/gecko/Cargo.lock:-1:-1 | Crate depends on a vulnerable version of tracing-subscriber. Advisory: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber ID: RUSTSEC-2025-0055 Report date: 2025-08-29 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR mozilla#3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. URL: GHSA-xwfj-jgwm-7wp5 Patched versions: [ ">=0.3.20" ] ```
samchesney
added a commit
to graphcore-research/gwr
that referenced
this pull request
Sep 2, 2025
Update all dependencies to latest compatible versions.
This resolves the following crate vulnerability error:
```
error[vulnerability]: Logging user input may result in poisoning logs with ANSI escape sequences
┌─ /Volumes/scratch/repos/steam/Cargo.lock:251:1
│
251 │ tracing-subscriber 0.3.19 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2025-0055
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0055
├ Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:
- Manipulate terminal title bars
- Clear screens or modify terminal display
- Potentially mislead users through terminal manipulation
In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.
This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input.
├ Announcement: GHSA-xwfj-jgwm-7wp5
├ Solution: Upgrade to >=0.3.20 (try `cargo update -p tracing-subscriber`)
├ tracing-subscriber v0.3.19
└── loom v0.5.6
└── state v0.6.0
├── rocket v0.5.1
│ └── steam-spotter v0.3.0
└── rocket_http v0.5.1
├── rocket v0.5.1 (*)
└── rocket_codegen v0.5.1
└── rocket v0.5.1 (*)
advisories FAILED, bans ok, licenses ok, sources ok
```
This was referenced Sep 2, 2025
This was referenced Sep 3, 2025
This was referenced Sep 7, 2025
This was referenced Sep 8, 2025
anstylian
added a commit
to eigerco/axelar-relayer-core
that referenced
this pull request
Sep 23, 2025
…vulnerability
Logs from cargo deny:
error[vulnerability]: Logging user input may result in poisoning logs with ANSI escape sequences
┌─ /home/runner/work/axelar-relayer-core/axelar-relayer-core/Cargo.lock:330:1
│
330 │ tracing-subscriber 0.3.19 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2025-0055
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0055
├ Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:
- Manipulate terminal title bars
- Clear screens or modify terminal display
- Potentially mislead users through terminal manipulation
In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.
This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input.
dalvescb
pushed a commit
to dalvescb/tracing
that referenced
this pull request
Oct 21, 2025
Fixes a security vulnerability where ANSI escape sequences in user input
could be injected into terminal output, potentially allowing attackers to
manipulate terminal behavior through log messages and error displays.
The vulnerability occurred when user-controlled content was formatted using
Display (`{}`) instead of Debug (`{:?}`) formatting, allowing raw ANSI
sequences to pass through unescaped.
Changes:
- Add streaming ANSI escape wrapper to avoid string allocations
- Escape message content in default and pretty formatters
- Escape error Display content in all error formatting paths
- Add comprehensive integration tests for all formatter types
The fix specifically targets untrusted user input while preserving the
ability for applications to deliberately include formatting in trusted
contexts like thread names.
Security impact: Prevents terminal injection attacks such as title bar
manipulation, screen clearing, and other malicious terminal control
sequences that could be injected through log messages.
dalvescb
pushed a commit
to dalvescb/tracing
that referenced
this pull request
Oct 23, 2025
Fixes a security vulnerability where ANSI escape sequences in user input
could be injected into terminal output, potentially allowing attackers to
manipulate terminal behavior through log messages and error displays.
The vulnerability occurred when user-controlled content was formatted using
Display (`{}`) instead of Debug (`{:?}`) formatting, allowing raw ANSI
sequences to pass through unescaped.
Changes:
- Add streaming ANSI escape wrapper to avoid string allocations
- Escape message content in default and pretty formatters
- Escape error Display content in all error formatting paths
- Add comprehensive integration tests for all formatter types
The fix specifically targets untrusted user input while preserving the
ability for applications to deliberately include formatting in trusted
contexts like thread names.
Security impact: Prevents terminal injection attacks such as title bar
manipulation, screen clearing, and other malicious terminal control
sequences that could be injected through log messages.
26 tasks
This was referenced Nov 24, 2025
ricky26
added a commit
to ricky26/tracing
that referenced
this pull request
Dec 31, 2025
Revert "fmt: fix ANSI escape sequence injection vulnerability (tokio-rs#3368)" This reverts commit 4c52ca5.
ricky26
added a commit
to ricky26/tracing
that referenced
this pull request
Dec 31, 2025
Revert "fmt: fix ANSI escape sequence injection vulnerability (tokio-rs#3368)" This reverts commit 4c52ca5.
12 tasks
|
how to re-enable it? or rather, how should I output escape sequences in my logs? edit: ok I see #3369 |
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes a security vulnerability where ANSI escape sequences in user input could be injected into terminal output, potentially allowing attackers to manipulate terminal behavior through log messages and error displays.
The vulnerability occurred when user-controlled content was formatted using Display (
{}) instead of Debug ({:?}) formatting, allowing raw ANSI sequences to pass through unescaped.Changes:
The fix specifically targets untrusted user input while preserving the ability for applications to deliberately include formatting in trusted contexts like thread names.
Security impact: Prevents terminal injection attacks such as title bar manipulation, screen clearing, and other malicious terminal control sequences that could be injected through log messages.