CVE-2019-0542
Remote Code Execution vulnerability in xterm (npm)
What is CVE-2019-0542 About?
This Remote Code Execution vulnerability in Xterm.js occurs when the component mishandles special characters. An attacker can exploit this to execute arbitrary code remotely on the victim's system. Exploitation requires sending specially crafted input to Xterm.js, often through a connected shell.
Affected Software
- xterm
- >3.9.0, <3.9.2
- >3.10.0, <3.10.1
- <3.8.1
Technical Details
The Remote Code Execution vulnerability in Xterm.js arises from its mishandling of special characters. Terminal emulators like Xterm.js interpret escape sequences and control characters to perform various actions, such as changing text color, moving the cursor, or resizing the terminal. If Xterm.js does not properly sanitize or validate these special characters when they are received (e.g., from a connected shell or untrusted input), an attacker can inject malicious sequences. These sequences might be interpreted by the underlying system or the browser's JavaScript engine to execute arbitrary commands or code outside the intended scope of the terminal, leading to remote code execution.
What is the Impact of CVE-2019-0542?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the affected application or user, leading to complete system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2019-0542?
Exploitation of this RCE vulnerability is remote and typically requires knowledge of the specific special character sequences that Xterm.js mishandles. The complexity is moderate to high, depending on the specifics of the vulnerability and the environment. No explicit authentication is mentioned; if an attacker can send data to an Xterm.js instance (e.g., through a compromised shell, or via a web application using Xterm.js that reflects untrusted input), they can attempt to exploit it. Privilege requirements are generally tied to the context in which Xterm.js is running. The likelihood of exploitation increases if Xterm.js is used in environments that process untrusted or potentially malicious output, such as web-based shells or logs containing user-controlled content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-0542?
About the Fix from Resolved Security
The patch removes support for the DCS + q Pt ST (Request Terminfo String) sequence, eliminating the RequestTerminfo handler and its registration. This mitigates CVE-2019-0542 by preventing attackers from exploiting the handler to inject malicious input, which could be echoed back and potentially lead to remote code execution or information disclosure through crafted terminal sequences.
Available Upgrade Options
- xterm
- <3.8.1 → Upgrade to 3.8.1
- xterm
- >3.9.0, <3.9.2 → Upgrade to 3.9.2
- xterm
- >3.10.0, <3.10.1 → Upgrade to 3.10.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/xtermjs/xterm.js
- https://access.redhat.com/errata/RHSA-2019:2551
- https://access.redhat.com/errata/RHSA-2019:2551
- https://access.redhat.com/errata/RHBA-2019:0959
- http://www.securityfocus.com/bid/106434
- https://github.com/xtermjs/xterm.js/releases/tag/3.8.1
- https://nvd.nist.gov/vuln/detail/CVE-2019-0542
- https://osv.dev/vulnerability/GHSA-mc23-976p-j42x
- https://access.redhat.com/errata/RHSA-2019:1422
- http://www.securityfocus.com/bid/106434
What are Similar Vulnerabilities to CVE-2019-0542?
Similar Vulnerabilities: CVE-2020-14002 , CVE-2020-13935 , CVE-2022-26487 , CVE-2022-24879 , CVE-2020-8174
