Cyber Resilience

CVE-2025-22275

Critical

Published: 03 January 2025

Published
03 January 2025
Modified
20 June 2025
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0013 32.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22275 is a critical-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Iterm2 Iterm2. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-22275 is a vulnerability in the iTerm2 terminal emulator, affecting versions 3.5.6 through 3.5.10 prior to 3.5.11. It stems from CWE-532 (Insertion of Sensitive Information into Log File) and allows remote attackers to obtain sensitive information from terminal commands by reading the /tmp/framer.txt file. This occurs in certain configurations involving it2ssh and SSH Integration during remote logins to hosts that share a common Python installation.

The vulnerability has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N), indicating it is exploitable by unauthenticated remote attackers with low attack complexity, no user interaction, and a changed scope. Attackers can achieve high confidentiality impact by accessing sensitive terminal command data and low integrity impact, enabling information disclosure without disrupting availability.

Official advisories recommend upgrading to iTerm2 3.5.11 for mitigation, as outlined in the version changelog. Detailed explanation of the SSH Integration information leak is available in the iTerm2 GitLab wiki, with community discussion on Hacker News.

EU & UK References

Vulnerability details

iTerm2 3.5.6 through 3.5.10 before 3.5.11 sometimes allows remote attackers to obtain sensitive information from terminal commands by reading the /tmp/framer.txt file. This can occur for certain it2ssh and SSH Integration configurations, during remote logins to hosts that have a…

more

common Python installation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.003 Shell History Credential Access
Adversaries may search the command history on compromised systems for insecurely stored credentials.
Why these techniques?

Vuln leaks terminal command data (incl. potential creds/shell activity) into accessible log file, directly enabling local data collection and unsecured credential access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24984Shared CWE-532
CVE-2025-0976Shared CWE-532
CVE-2025-23374Shared CWE-532
CVE-2026-4788Shared CWE-532
CVE-2026-28261Shared CWE-532
CVE-2025-24556Shared CWE-532
CVE-2026-24308Shared CWE-532
CVE-2026-28987Shared CWE-532
CVE-2026-32982Shared CWE-532
CVE-2026-44052Shared CWE-532

Affected Assets

iterm2
iterm2
3.5.6 — 3.5.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely patching of iTerm2 to version 3.5.11, which fixes the insecure writing of sensitive terminal commands to /tmp/framer.txt.

prevent

Prevents unauthorized information transfer via shared system resources like the world-readable /tmp directory exploited for sensitive data disclosure in this CVE.

prevent

Enforces secure configuration settings for iTerm2 SSH Integration and it2ssh features to avoid creation of insecure temporary files during remote logins.

References