RUSTSEC-2025-0055: 
Rust vulnerability analysis and mitigation

The vulnerability (RUSTSEC-2025-0055/CVE-2025-58160) affects the tracing-subscriber Rust package versions prior to 0.3.20. Discovered and disclosed on August 29, 2025, this vulnerability involves ANSI escape sequence injection attacks where untrusted user input containing ANSI escape sequences could be injected into terminal output when logged. The issue was reported by security researcher zefr0x to the Tokio project security team (GitHub Advisory).

The vulnerability is classified as CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences) with a CVSS v4 score of 2.3 (Low severity). The technical assessment indicates that the vulnerability has network attack vector, low attack complexity, and requires no privileges but passive user interaction. The EPSS score of 0.042% suggests a relatively low probability of exploitation within 30 days (GitHub Advisory).

When exploited, the vulnerability could allow attackers to manipulate terminal title bars, clear screens, modify terminal display, and potentially mislead users through terminal manipulation. While the direct impact is considered minimal in isolation, the vulnerability could be leveraged to exploit vulnerabilities in terminal emulators through ANSI escape sequences via logs (GitHub Advisory).

The vulnerability has been patched in tracing-subscriber version 0.3.20, which implements proper escaping of ANSI control characters when writing events to destinations that may be printed to the terminal. For users unable to update immediately, the recommended workaround is to avoid printing logs to terminal emulators without escaping ANSI control sequences (GitHub Advisory).