CVE-2025-58160 is a vulnerability identified in the tracing-subscriber crate, part of the tracing framework used in Rust programs for structured, event-based diagnostic logging. Versions of tracing-subscriber prior to 0.3.20 are susceptible to ANSI escape sequence injection attacks. This vulnerability arises because untrusted user input containing ANSI escape sequences can be logged and subsequently rendered in terminal emulators without proper sanitization or escaping. ANSI escape sequences are control characters that can manipulate terminal behavior, such as changing text color, clearing the screen, or modifying the terminal title bar. An attacker exploiting this vulnerability could inject malicious sequences into logs, potentially misleading users by altering terminal displays or hiding malicious activity. The vulnerability is classified under CWE-150, which concerns improper neutralization of escape, meta, or control sequences. The issue was addressed in tracing-subscriber version 0.3.20 by escaping ANSI control characters when writing events to outputs that may be displayed in terminals. A temporary workaround involves avoiding printing logs directly to terminal emulators without escaping these sequences. The CVSS 4.0 base score is 2.3, indicating a low severity level, reflecting limited impact on confidentiality, integrity, and availability, and requiring user interaction for exploitation. No known exploits are currently reported in the wild.

For European organizations using Rust applications that incorporate the tracing framework, particularly tracing-subscriber versions prior to 0.3.20, this vulnerability could lead to misleading terminal outputs. While the direct impact on confidentiality, integrity, or availability is minimal, the ability to manipulate terminal displays can facilitate social engineering attacks or hide malicious activity during incident response or debugging. This could reduce trust in diagnostic logs and complicate forensic investigations. Organizations relying heavily on terminal-based monitoring or logging tools that display tracing output are more at risk. However, since exploitation requires user interaction (viewing the manipulated logs) and does not grant direct system control or data exfiltration, the overall operational risk remains low. Nonetheless, in environments where accurate logging is critical for compliance or security auditing, this vulnerability could undermine confidence in system integrity and monitoring.

European organizations should upgrade all tracing-subscriber dependencies to version 0.3.20 or later to ensure ANSI escape sequences are properly escaped in logs. Until upgrades can be applied, logs containing untrusted input should not be printed directly to terminal emulators without sanitization. Implement input validation and sanitization to strip or encode ANSI escape sequences before logging untrusted data. Additionally, consider configuring logging outputs to files or systems that do not render ANSI sequences, such as centralized log management solutions that treat logs as plain text. Security teams should educate developers and operators about the risks of ANSI escape sequence injection and incorporate checks for such sequences in code reviews and automated scanning tools. Monitoring for unusual terminal behavior or unexpected log content can also help detect attempted exploitation.