CVE-2026-49147 PUBLISHED

App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes

Assigner: CPANSec
Reserved: 27.05.2026 Published: 08.07.2026 Updated: 08.07.2026

App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes.

When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename.

A file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.

Product Status

Vendor PETDANCE
Product App::Ack
Versions Default: unaffected
  • affected from 0 to 3.10.0 (incl.)

Workarounds

Pipe ack output through a filter that strips terminal control characters when running ack over untrusted filenames.

Solutions

Upgrade to a future ack release.

Credits

  • Michał Majchrowicz (AFINE) finder
  • Marcin Wyczechowski (AFINE) finder

References

Problem Types

  • CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences CWE