CVE-2023-49284

fish is a smart and user-friendly command line shell for macOS, Linux, and
the rest of the family. fish shell uses certain Unicode non-characters
internally for marking wildcards and expansions. It will incorrectly allow
these markers to be read on command substitution output, rather than
transforming them into a safe internal representation. While this may cause
unexpected behavior with direct input (for example, echo \UFDD2HOME has the
same output as echo $HOME), this may become a minor security problem if the
output is being fed from an external program into a command substitution
where this output may not be expected. This design flaw was introduced in
very early versions of fish, predating the version control system, and is
thought to be present in every version of fish released in the last 15
years or more, although with different characters. Code execution does not
appear to be possible, but denial of service (through large brace
expansion) or information disclosure (such as variable expansion) is
potentially possible under certain circumstances. fish shell 3.6.2 has been
released to correct this issue. Users are advised to upgrade. There are no
known workarounds for this vulnerability.