CVE-2024-38396

Name of the Vulnerable Software and Affected Versions iTerm2 versions 3.5.x through 3.5.1

Description An issue was discovered in iTerm2 that allows an attacker to inject arbitrary code into the terminal by abusing title reporting and tmux integration. This is possible due to the unfiltered use of an escape sequence to report a window title, in combination with the built-in tmux integration feature, which is enabled by default.

Recommendations For iTerm2 versions 3.5.x through 3.5.1, update to version 3.5.2 or later to resolve the issue. As a temporary workaround, consider disabling the tmux integration feature until a patch is available. Restrict access to the terminal to minimize the risk of exploitation. Avoid using the title reporting feature in the affected versions until the issue is resolved.