Home

Description

App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes. When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename. A file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.

PUBLISHED Reserved 2026-05-27 | Published 2026-07-08 | Updated 2026-07-08 | Assigner CPANSec

Problem types

CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences

Product status

Default status
unaffected

Any version
affected

Timeline

2026-06-07:Version 3.10.0 released with partial fix for most output paths.

Credits

Michał Majchrowicz (AFINE) finder

Marcin Wyczechowski (AFINE) finder

References

metacpan.org/release/PETDANCE/ack-v3.10.0/source/Changes release-notes

cve.org (CVE-2026-49147)

nvd.nist.gov (CVE-2026-49147)

Download JSON