Bug 2391963 (CVE-2025-58160)

Summary: CVE-2025-58160 tracing-subscriber: Tracing log pollution
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anthomas, bkabrda, brasmith, cochase, dbosanac, dranck, ehelms, ggainey, gotiwari, jcantril, jreimann, juwatts, jwendell, lball, mdessi, mhulan, mrizzi, mvyas, ngough, nmoumoul, osousa, pcattana, pcreech, rcernich, rchan, rojacob, smallamp, tmalecek, veshanka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A log pollution flaw was found in the tracing-subscriber Rust crate. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to manipulate terminal title bars, clear screens, modify the terminal display, or potentially mislead users through terminal manipulation. In isolation, the impact is minimal. However, security issues have been identified in terminal emulators that allow an attacker to exploit vulnerabilities in the terminal emulator by using ANSI escape sequences via logs.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2391976, 2391977, 2391979, 2391980, 2391983, 2391986, 2391987, 2391988, 2391989, 2391990, 2391991, 2391992, 2391993, 2391994, 2391995, 2391996, 2391998, 2392000, 2392001, 2392004, 2392005, 2392010, 2392011, 2392013, 2392014, 2392017, 2392020, 2392021, 2392022, 2392023, 2392024, 2392025, 2392026, 2392027, 2392028, 2392029, 2392030, 2392031, 2392034, 2392035, 2392039, 2392040, 2392043, 2392044, 2392047, 2392052, 2392053, 2392056, 2391972, 2391973, 2391974, 2391975, 2391978, 2391981, 2391982, 2391984, 2391985, 2391997, 2391999, 2392002, 2392003, 2392006, 2392007, 2392008, 2392009, 2392012, 2392015, 2392016, 2392018, 2392019, 2392032, 2392033, 2392036, 2392037, 2392038, 2392041, 2392042, 2392045, 2392046, 2392048, 2392049, 2392050, 2392051, 2392054, 2392055    
Bug Blocks:    

Description OSIDB Bzimport 2025-08-29 22:01:32 UTC 
tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to manipulate terminal title bars, clear screens or modify terminal display, and potentially mislead users through terminal manipulation. tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters when writing events to destinations that may be printed to the terminal. A workaround involves avoiding printing logs to terminal emulators without escaping ANSI control sequences.