search menu icon-carat-right cmu-wordmark

CERT Coordination Center

iTerm2 with tmux integration is vulnerable to remote command execution

Vulnerability Note VU#763073

Original Release Date: 2019-10-09 | Last Revised: 2019-10-25


iTerm2, up to and including version 3.3.5, with tmux integration is vulnerable to remote command execution.


iTerm2 is a popular terminal emulator for macOS that supports terminal multiplexing using tmux integration and is frequently used by developers and system administrators. A vulnerability, identified as CVE-2019-9535, exists in the way that iTerm2 integrates with tmux's control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5.


This vulnerability may allow an attacker to execute arbitrary commands on their victim's computer by providing malicious output to the terminal. It could be exploited using command-line utilities that print attacker-controlled content. Potential attack vectors include connecting via ssh to a malicious server, using curl to fetch a malicious website, or using tail -f to follow a logfile containing some malicious content.


Apply an update

Update iTerm2 to version 3.3.6, which includes mitigations against exploitation of this vulnerability. The latest version is available as an update within the program itself, or can be downloaded here. As the tmux integration cannot be disabled through configuration, a complete resolution is not yet available. We recommend that users of tmux integration follow the best practices outlined by iTerm2.

Vendor Information


iTerm 2 Affected

Updated:  October 08, 2019



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 7.3 E:POC/RL:OF/RC:C
Environmental 1.8 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Stefan Grönke and Fabian Freyer of Radically Open Security for finding this vulnerability, the Mozilla Open Source Support (MOSS) project for supporting the audit, and George Nachman of iTerm2 for developing the fix, and all parties for coordinating this vulnerability.

This document was written by Madison Oliver.

Other Information

CVE IDs: CVE-2019-9535
Date Public: 2019-10-09
Date First Published: 2019-10-09
Date Last Updated: 2019-10-25 13:48 UTC
Document Revision: 37

Sponsored by CISA.