CVE-2025-58160

NameCVE-2025-58160
Descriptiontracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to manipulate terminal title bars, clear screens or modify terminal display, and potentially mislead users through terminal manipulation. tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters when writing events to destinations that may be printed to the terminal. A workaround involves avoiding printing logs to terminal emulators without escaping ANSI control sequences.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1112553

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rust-tracing-subscriber (PTS)bookworm0.3.16-2vulnerable
forky, sid, trixie0.3.18-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rust-tracing-subscribersource(unstable)(unfixed)1112553

Notes

[trixie] - rust-tracing-subscriber <no-dsa> (Minor issue)
[bookworm] - rust-tracing-subscriber <no-dsa> (Minor issue)
https://rustsec.org/advisories/RUSTSEC-2025-0055.html
https://github.com/tokio-rs/tracing/security/advisories/GHSA-xwfj-jgwm-7wp5
https://github.com/tokio-rs/tracing/pull/3368
Fixed by: https://github.com/tokio-rs/tracing/commit/4c52ca5266a3920fc5dfeebda2accf15ee7fb278 (tracing-subscriber-0.3.20)
Search for package or bug name: Reporting problems