CVE-2023-43620: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in Croc through version 9.6.5 that allows a sender to place ANSI or CSI escape sequences in filenames to potentially attack the terminal device of a receiver. The vulnerability was assigned CVE-2023-43620 and affects all versions of Croc up to and including 9.6.5 (NVD, CVE).

The vulnerability stems from Croc's failure to filter filenames containing arbitrary characters on the receiver side. On Linux systems, filenames can contain any characters except the path separator '/', including ASCII control codes and ANSI/CSI terminal escape sequences. When these filenames are output to stdout during transmission, the escape sequences are interpreted by the receiver's terminal, potentially leading to text coloration, cursor manipulation, or even arbitrary code execution in insecure terminal emulator setups. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability can be exploited to hide malicious file transfers by manipulating terminal output on the receiver's side. For example, an attacker can create filenames containing escape sequences that move the cursor and overwrite previous lines, making certain transferred files appear harmless or completely invisible to the user (OSS Security).

To fix this vulnerability, Croc should implement filtering of filenames on the receiver side to either reject or replace any unsafe non-printable characters. Until a patch is available, users should exercise caution when accepting file transfers from untrusted sources (OSS Security).