Impact
If an application is able to execute Ghostty via something like open -a Ghostty <path to exe> or NSWorkspace, the launched executable will inherit Ghostty's permissions rather than the original application. Ghostty is an application that generally has wide-sweeping permissions (e.g. access to full disk), typical for any terminal. Therefore, Ghostty could be used as a vector for privilege escalation.
This requires a vulnerable application outside of Ghostty to initiate this chain of events. As such, this is considered a low risk advisory and no CVE is going to be assigned.
Patches
Fixed in Ghostty v1.2.0.
Ghostty now unconditionally asks for permission prior to executing any script or executable, regardless of filetype and sender.
PR: #8442
Workarounds
There are no workarounds in earlier versions of Ghostty.
nmggithub Reporter
Impact
If an application is able to execute Ghostty via something like
open -a Ghostty <path to exe>orNSWorkspace, the launched executable will inherit Ghostty's permissions rather than the original application. Ghostty is an application that generally has wide-sweeping permissions (e.g. access to full disk), typical for any terminal. Therefore, Ghostty could be used as a vector for privilege escalation.This requires a vulnerable application outside of Ghostty to initiate this chain of events. As such, this is considered a low risk advisory and no CVE is going to be assigned.
Patches
Fixed in Ghostty v1.2.0.
Ghostty now unconditionally asks for permission prior to executing any script or executable, regardless of filetype and sender.
PR: #8442
Workarounds
There are no workarounds in earlier versions of Ghostty.