CVE-2023-46321 in iTerm2info

Summary

by MITRE • 10/25/2023

iTermSessionLauncher.m in iTerm2 before 3.5.0beta12 does not sanitize paths in x-man-page URLs. They may have shell metacharacters for a /usr/bin/man command line.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/14/2026

The vulnerability identified as CVE-2023-46321 affects iTerm2 versions prior to 3.5.0beta12 and resides in the iTermSessionLauncher.m component which handles x-man-page URLs. This represents a path sanitization issue that could potentially allow attackers to execute arbitrary commands through carefully crafted URL inputs. The flaw specifically manifests when the application processes x-man-page URLs that contain shell metacharacters within path specifications, creating a dangerous execution environment where command injection becomes possible.

The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the URL handling mechanism of iTerm2's session launcher functionality. When users click on x-man-page URLs that contain specially crafted paths with shell metacharacters such as semicolons, ampersands, or backticks, these characters can be passed directly to the underlying /usr/bin/man command without proper escaping or sanitization. This creates a classic command injection vulnerability where attacker-controlled input flows directly into shell execution contexts, violating fundamental security principles of input validation and output encoding.

The operational impact of this vulnerability extends beyond simple command execution as it enables potential privilege escalation and system compromise scenarios. An attacker could craft malicious x-man-page URLs that, when opened in iTerm2, would execute arbitrary shell commands with the privileges of the user running the application. This could lead to complete system compromise, data exfiltration, or the installation of persistent backdoors. The vulnerability is particularly concerning in environments where users might encounter untrusted URLs or where iTerm2 is used in automated contexts where URL handling occurs without proper user verification.

Security professionals should note this vulnerability aligns with CWE-78, which specifically addresses OS Command Injection, and demonstrates the importance of proper input sanitization in command-line argument handling. The ATT&CK framework categorizes this as a command and scripting interpreter technique under T1059, where adversaries leverage legitimate system tools to execute malicious code. Organizations using iTerm2 should immediately upgrade to version 3.5.0beta12 or later where the path sanitization issue has been addressed. Additionally, users should exercise extreme caution when clicking on unknown or untrusted x-man-page URLs and consider implementing URL filtering mechanisms at the network level. System administrators should monitor for suspicious command execution patterns and ensure that all software updates are applied promptly to mitigate this and similar vulnerabilities in terminal applications.

Reservation

10/22/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00656

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!