CVE-2024-38395 – This vulnerability in iTerm2 allows remote code... (How to Fix)

📋 TL;DR

This vulnerability in iTerm2 allows remote code execution when the 'Terminal may report window title' setting is not properly enforced. Attackers could potentially execute arbitrary code on affected systems by manipulating terminal window titles. All users of iTerm2 versions before 3.5.2 are affected.

💻 Affected Systems

Products:

iTerm2

Versions: All versions before 3.5.2

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the 'Terminal may report window title' setting to be enabled, which is the default configuration.

📦 What is this software?

Iterm2 by Iterm2

View all CVEs affecting Iterm2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution leading to complete control of the affected system.

🟠

Likely Case

Limited code execution in user context, potentially leading to data theft or lateral movement.

🟢

If Mitigated

No impact if the vulnerable setting is disabled or the system is patched.

🌐 Internet-Facing: LOW with brief explanation

🏢 Internal Only: MEDIUM with brief explanation

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

The vulnerability exists but is described as 'not trivially exploitable' in the CVE description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.2

Vendor Advisory: https://iterm2.com/downloads.html

Restart Required: Yes

Instructions:

1. Download iTerm2 version 3.5.2 or later from https://iterm2.com/downloads.html
2. Install the new version
3. Restart iTerm2

🔧 Temporary Workarounds

Disable window title reporting

all

Disable the vulnerable 'Terminal may report window title' setting

🧯 If You Can't Patch

Disable the 'Terminal may report window title' setting in iTerm2 preferences
Restrict network access to iTerm2 sessions from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check iTerm2 version in Preferences > General > About

Check Version:

iTerm2 > Preferences > General > About

Verify Fix Applied:

Verify version is 3.5.2 or later in Preferences > General > About

📡 Detection & Monitoring

Log Indicators:

Unusual terminal window title changes
Suspicious process execution from terminal sessions

Network Indicators:

Unusual network connections originating from terminal sessions

SIEM Query:

Process execution events with parent process containing 'iTerm' and version < 3.5.2

📊 Metadata

CVE ID: CVE-2024-38395

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: June 16, 2024

Last Updated: June 18, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/06/17/1 Mailing List,Third Party Advisory
https://gitlab.com/gnachman/iterm2/-/commit/f1e89f78dd72dcac3ba66d3d6f93db3f7f649219 Patch
https://gitlab.com/gnachman/iterm2/-/tags/v3.5.2 Release Notes
https://iterm2.com/downloads.html Product
https://www.openwall.com/lists/oss-security/2024/06/15/1 Mailing List
http://www.openwall.com/lists/oss-security/2024/06/17/1 Mailing List,Third Party Advisory
https://gitlab.com/gnachman/iterm2/-/commit/f1e89f78dd72dcac3ba66d3d6f93db3f7f649219 Patch
https://gitlab.com/gnachman/iterm2/-/tags/v3.5.2 Release Notes
https://iterm2.com/downloads.html Product
https://www.openwall.com/lists/oss-security/2024/06/15/1 Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38395, you might also want to check these: