CVE-2025-22275
Published: 03 January 2025
Summary
CVE-2025-22275 is a critical-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Iterm2 Iterm2. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-22275 is a vulnerability in the iTerm2 terminal emulator, affecting versions 3.5.6 through 3.5.10 prior to 3.5.11. It stems from CWE-532 (Insertion of Sensitive Information into Log File) and allows remote attackers to obtain sensitive information from terminal commands by reading the /tmp/framer.txt file. This occurs in certain configurations involving it2ssh and SSH Integration during remote logins to hosts that share a common Python installation.
The vulnerability has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N), indicating it is exploitable by unauthenticated remote attackers with low attack complexity, no user interaction, and a changed scope. Attackers can achieve high confidentiality impact by accessing sensitive terminal command data and low integrity impact, enabling information disclosure without disrupting availability.
Official advisories recommend upgrading to iTerm2 3.5.11 for mitigation, as outlined in the version changelog. Detailed explanation of the SSH Integration information leak is available in the iTerm2 GitLab wiki, with community discussion on Hacker News.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2685
Vulnerability details
iTerm2 3.5.6 through 3.5.10 before 3.5.11 sometimes allows remote attackers to obtain sensitive information from terminal commands by reading the /tmp/framer.txt file. This can occur for certain it2ssh and SSH Integration configurations, during remote logins to hosts that have a…
more
common Python installation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln leaks terminal command data (incl. potential creds/shell activity) into accessible log file, directly enabling local data collection and unsecured credential access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely patching of iTerm2 to version 3.5.11, which fixes the insecure writing of sensitive terminal commands to /tmp/framer.txt.
Prevents unauthorized information transfer via shared system resources like the world-readable /tmp directory exploited for sensitive data disclosure in this CVE.
Enforces secure configuration settings for iTerm2 SSH Integration and it2ssh features to avoid creation of insecure temporary files during remote logins.