Zsh Security Vulnerabilities
In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST...
7.8CVSS
7.8AI Score
0.001EPSS
Vulnerability in pygmalion, pygmalion-virtualenv and refined themes Description: these themes use print -P on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability...
9.8CVSS
9.3AI Score
0.002EPSS
Vulnerability in dirhistory plugin Description: the widgets that go back and forward in the directory history, triggered by pressing Alt-Left and Alt-Right, use functions that unsafely execute eval on directory names. If you cd into a directory with a carefully-crafted name, then press Alt-Left,...
8.8CVSS
8.9AI Score
0.002EPSS
Vulnerability in rand-quote and hitokoto plugins Description: the rand-quote and hitokoto fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use print -P to print them. If these quotes contained the proper symbols, they could trigger command...
9.8CVSS
9.6AI Score
0.001EPSS
Vulnerability in title function Description: the title function defined in lib/termsupport.zsh uses print to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the title function in a way that is unsafe. Fixed in:...
9.8CVSS
9.3AI Score
0.002EPSS
ohmyzsh is vulnerable to Improper Neutralization of Special Elements used in an OS...
7.5CVSS
7.5AI Score
0.002EPSS
In Autoswitch Python Virtualenv before version 0.16.0, a user who enters a directory with a malicious .venv file could run arbitrary code without any user interaction. This is fixed in version:...
7.9CVSS
7.6AI Score
0.001EPSS
In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls...
7.8CVSS
7.8AI Score
0.0005EPSS
An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second...
9.8CVSS
8.3AI Score
0.007EPSS
An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended...
9.8CVSS
8.4AI Score
0.007EPSS
zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the utils.c:checkmailpath function. A local attacker could exploit this to execute arbitrary code in the context of another...
7.8CVSS
7.9AI Score
0.0004EPSS
Zsh before version 5.4.2-test-1 is vulnerable to a buffer overflow in the shell autocomplete functionality. A local unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use autocomplete to traverse the before...
7.8CVSS
6.7AI Score
0.001EPSS
zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function. A local attacker could exploit this to cause a denial of...
5.5CVSS
6.2AI Score
0.0004EPSS
In utils.c in zsh before 5.0.6, there is a buffer overflow when scanning very long directory paths for symbolic...
9.8CVSS
6.5AI Score
0.004EPSS
In subst.c in zsh through 5.4.2, there is a NULL pointer dereference when using ${(PA)...} on an empty array...
9.8CVSS
8.4AI Score
0.003EPSS
In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset...
7.5CVSS
7.1AI Score
0.004EPSS
In builtin.c in zsh before 5.4, when sh compatibility mode is used, there is a NULL pointer dereference during processing of the cd command with no argument if HOME is not...
8.1CVSS
6.4AI Score
0.004EPSS
9.8CVSS
7.2AI Score
0.007EPSS
In exec.c in zsh before 5.0.7, there is a buffer overflow for very long fds in the ">& fd"...
9.8CVSS
7.4AI Score
0.003EPSS
zsh before 5.0.7 allows evaluation of the initial values of integer variables imported from the environment (instead of treating them as literal numbers). That could allow local privilege escalation, under some specific and atypical conditions where zsh is being invoked in privilege-elevation...
7.8CVSS
7AI Score
0.0004EPSS
In zsh before 5.3, an off-by-one error resulted in undersized buffers that were intended to support PATH_MAX...
9.8CVSS
7AI Score
0.002EPSS
Util/difflog.pl in zsh 4.3.4 allows local users to overwrite arbitrary files via a symlink attack on temporary...
6.3AI Score
0.0004EPSS