CVE-2025-58160: 
Rust vulnerability analysis and mitigation

CVE-2025-58160 affects tracing-subscriber, a framework component for instrumenting Rust programs to collect structured, event-based diagnostic information. The vulnerability was discovered and disclosed on August 29, 2025, affecting versions prior to 0.3.20. This security issue involves ANSI escape sequence injection attacks in the tracing-subscriber component (GitHub Advisory).

The vulnerability is classified with a CVSS v4.0 base score of 2.3 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. The issue stems from improper neutralization of escape, meta, or control sequences (CWE-150), where untrusted user input containing ANSI escape sequences could be injected into terminal output during logging operations (GitHub Advisory, NVD).

The vulnerability allows attackers to manipulate terminal title bars, clear screens, modify terminal display, and potentially mislead users through terminal manipulation. While the direct impact is considered minimal, there are potential security implications when combined with vulnerabilities in terminal emulators that could be exploited through ANSI escape sequences in logs (GitHub Advisory).

The vulnerability has been fixed in tracing-subscriber version 0.3.20 by implementing proper escaping of ANSI control characters when writing events to destinations that may be printed to the terminal. For users unable to upgrade immediately, a workaround involves avoiding printing logs to terminal emulators without escaping ANSI control sequences (GitHub Advisory).