fmt: escape ANSI control characters #3368
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes a security vulnerability where ANSI escape sequences in user input
could be injected into terminal output, potentially allowing attackers to
manipulate terminal behavior through log messages and error displays.
The vulnerability occurred when user-controlled content was formatted using
Display (`{}`) instead of Debug (`{:?}`) formatting, allowing raw ANSI
sequences to pass through unescaped.
Changes:
- Add streaming ANSI escape wrapper to avoid string allocations
- Escape message content in default and pretty formatters
- Escape error Display content in all error formatting paths
- Add comprehensive integration tests for all formatter types
The fix specifically targets untrusted user input while preserving the
ability for applications to deliberately include formatting in trusted
contexts like thread names.
Security impact: Prevents terminal injection attacks such as title bar
manipulation, screen clearing, and other malicious terminal control
sequences that could be injected through log messages.
carllerche
changed the title
hawkw
approved these changes
Aug 29, 2025
|
@carllerche can you elaborate on "while preserving the ability for applications to deliberately include formatting in trusted contexts"? I have hundreds (thousands?) of traces with For example: info!("This is red: {}", "color test".red());now escapes the color sequence despite Thanks! Edit: Looking at the PR, does this still accomplish what you're looking for if Created followup issue: Regression: New tracing-subscriber breaks ANSI color and styling support |
jo
added a commit
to jo/application-services
that referenced
this pull request
Sep 2, 2025
Fixing the following error when integrating the code on desktop: ``` TEST-UNEXPECTED-ERROR | /builds/worker/checkouts/gecko/Cargo.lock:-1:-1 | Crate depends on a vulnerable version of tracing-subscriber. Advisory: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber ID: RUSTSEC-2025-0055 Report date: 2025-08-29 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR mozilla#3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. URL: GHSA-xwfj-jgwm-7wp5 Patched versions: [ ">=0.3.20" ] ```
This was referenced Sep 2, 2025
This was referenced Sep 3, 2025
cfsmp3
pushed a commit
to cfsmp3/monarch
that referenced
this pull request
Sep 5, 2025
Summary: ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Differential Revision: D81802144
facebook-github-bot
pushed a commit
to facebookexperimental/reverie
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
facebook-github-bot
pushed a commit
to facebookexperimental/rust-shed
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
facebook-github-bot
pushed a commit
to facebook/pyrefly
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
facebook-github-bot
pushed a commit
to facebookincubator/reindeer
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
facebook-github-bot
pushed a commit
to facebook/sapling
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
facebook-github-bot
pushed a commit
to facebookincubator/scrut
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
facebook-github-bot
pushed a commit
to meta-pytorch/monarch
that referenced
this pull request
Sep 5, 2025
…55) (#1114) Summary: Pull Request resolved: #1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
facebook-github-bot
pushed a commit
to facebookexperimental/hermit
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
facebook-github-bot
pushed a commit
to facebook/hhvm
that referenced
this pull request
Sep 5, 2025
Summary: X-link: meta-pytorch/monarch#1114 ``` VULNERABILITY RUSTSEC-2025-0055 - 2025-08-29: Logging user input may result in poisoning logs with ANSI escape sequences Package: tracing-subscriber 0.3.19 Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input. ``` Reviewed By: dtolnay Differential Revision: D81802144 fbshipit-source-id: 1430805e74df708af6cb7580eb1b0a2a58b14ac2
This was referenced Sep 7, 2025
This was referenced Sep 8, 2025
anstylian
added a commit
to eigerco/axelar-relayer-core
that referenced
this pull request
Sep 23, 2025
…vulnerability
Logs from cargo deny:
error[vulnerability]: Logging user input may result in poisoning logs with ANSI escape sequences
┌─ /home/runner/work/axelar-relayer-core/axelar-relayer-core/Cargo.lock:330:1
│
330 │ tracing-subscriber 0.3.19 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2025-0055
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0055
├ Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:
- Manipulate terminal title bars
- Clear screens or modify terminal display
- Potentially mislead users through terminal manipulation
In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.
This was patched in [PR #3368](tokio-rs/tracing#3368) to escape ANSI control characters from user input.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes a security vulnerability where ANSI escape sequences in user input could be injected into terminal output, potentially allowing attackers to manipulate terminal behavior through log messages and error displays.
The vulnerability occurred when user-controlled content was formatted using Display (
{}) instead of Debug ({:?}) formatting, allowing raw ANSI sequences to pass through unescaped.Changes:
The fix specifically targets untrusted user input while preserving the ability for applications to deliberately include formatting in trusted contexts like thread names.
Security impact: Prevents terminal injection attacks such as title bar manipulation, screen clearing, and other malicious terminal control sequences that could be injected through log messages.