tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to manipulate terminal title bars, clear screens or modify terminal display, and potentially mislead users through terminal manipulation. tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters when writing events to destinations that may be printed to the terminal. A workaround involves avoiding printing logs to terminal emulators without escaping ANSI control sequences.
History

Tue, 02 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Tokio
Tokio tracing
Vendors & Products Tokio
Tokio tracing

Tue, 02 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 30 Aug 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}

threat_severity

Low


Fri, 29 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
Description tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to manipulate terminal title bars, clear screens or modify terminal display, and potentially mislead users through terminal manipulation. tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters when writing events to destinations that may be printed to the terminal. A workaround involves avoiding printing logs to terminal emulators without escaping ANSI control sequences.
Title Tracing logging user input may result in poisoning logs with ANSI escape sequences
Weaknesses CWE-150
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-09-02T14:08:42.323Z

Reserved: 2025-08-27T13:34:56.186Z

Link: CVE-2025-58160

cve-icon Vulnrichment

Updated: 2025-09-02T14:08:38.625Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-29T22:15:32.887

Modified: 2025-09-02T15:55:35.520

Link: CVE-2025-58160

cve-icon Redhat

Severity : Low

Publid Date: 2025-08-29T21:28:22Z

Links: CVE-2025-58160 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-09-02T15:23:32Z