In late 2022 and 2023, an audit was conducted on terminal emulators, specifically focusing on open source software, to identify vulnerabilities. The results of this work uncovered 10 CVEs that could potentially lead to Remote Code Execution (RCE) in terminal emulators, along with other bugs and opportunities for hardening. Several new methods of exploiting these vulnerabilities were also discovered. Terminal emulators refer to software re-implementations of physical terminal devices, such as those from Digital Equipment Corporation. This paper provides a technical write-up assuming some level of familiarity with the subject matter. The various classes of vulnerabilities include misuse of escape sequences, queries and echoback, buffer overflow, lack of escaping in processing, and denial-of-service possibilities.
https://dgl.cx/2023/09/ansi-terminal-security