CVE-2023-49284: 
NixOS vulnerability analysis and mitigation

The fish shell (versions prior to 3.6.2) contains a design flaw in handling Unicode non-characters used internally for marking wildcards and expansions. The vulnerability, identified as CVE-2023-49284, allows these markers to be read on command substitution output instead of being transformed into a safe internal representation. This design flaw has existed for approximately 15 years, affecting all versions of fish shell during this period (GitHub Advisory).

The vulnerability stems from the shell's improper handling of Unicode non-characters used for internal marking of wildcards and expansions. When command substitution output contains these special markers, they are incorrectly processed instead of being safely transformed. For example, 'echo \UFDD2HOME' produces the same output as 'echo $HOME', demonstrating how the vulnerability can trigger unintended shell expansions (Openwall). The vulnerability has been assigned a CVSS v3.1 base score of 3.9 (Low) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L (GitHub Advisory).

While direct code execution is not possible, the vulnerability can lead to denial of service through large brace expansion or information disclosure via variable expansion under certain circumstances. The impact occurs when output containing these special Unicode markers is fed from an external program into a command substitution (GitHub Advisory).

The vulnerability has been fixed in fish shell version 3.6.2. Users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability (GitHub Advisory).