Critical Drag-and-Drop Vulnerability Discovered in Popular Terminal Emulators
Key Takeaways
- ▸Multiple popular terminal emulators are vulnerable to command injection through drag-and-drop file operations using control characters in filenames
- ▸Attack payload uses Ctrl+C (\x03), command text, and Enter (\x0D) control characters to execute arbitrary commands when files are dragged into terminals
- ▸Realistic attack scenarios include malicious filenames hidden through truncation in file managers, potentially triggering during routine file operations in cloned repositories or downloaded archives
Summary
A significant security vulnerability has been discovered in multiple terminal emulators including Kitty and xfce4-terminal that allows arbitrary command execution through drag-and-drop file operations. The vulnerability exploits the fact that terminal emulators insert dragged file paths without sanitization, allowing attackers to embed control characters and malicious commands in filenames. When users drag what appears to be a benign text file into their terminal, they may inadvertently execute arbitrary commands. The attack is particularly effective when malicious filenames are truncated in file managers, hiding the payload from user view.
Researchers have reported the vulnerability to affected projects, with patches already released for Kitty, Ghostty, and XFCE4 Terminal. However, several other terminal emulators remain vulnerable, and no official CVE has been assigned due to MITRE's unresponsiveness. Security researchers recommend immediately switching to patched versions or alternative terminal emulators like Alacritty, which does not support drag-and-drop functionality.
- Patches are available for Kitty, Ghostty, and XFCE4 Terminal; users of other vulnerable emulators should switch to patched or unaffected alternatives immediately
