CVE-2018-1000523

Vulnerability

A CWE-20: Improper Input Validation vulnerability exists in topydo's ListFormatParser::parse method at topydo/lib/ListFormat.py line 292 (as of commit d4f843dac71308b2f29a7c2cdc76f055c3841523) [1][4]. The parser does not sanitize data from .txt lines before passing it to terminal output, enabling injection of arbitrary bytes, including terminal escape code sequences [1]. All versions up to that commit are affected [1].

Exploitation

An attacker needs to craft a todo.txt file containing specially formatted lines that embed terminal escape sequences [1][2]. The exploit requires user interaction: the victim must open the malicious todo.txt in topydo. No network or authentication barrier is described; the attack vector is local and relies on social engineering to deliver the file [2].

Impact

Successful exploitation allows the attacker to inject arbitrary escape codes into the victim's terminal session [1]. This can lead to arbitrary command execution if the terminal interprets certain sequences (e.g., those that simulate keystrokes or execute commands), or otherwise cause information disclosure or denial of service [1][2]. The attacker does not gain persistent code execution within topydo itself, but can manipulate the terminal environment.

Mitigation

No official patch has been disclosed in the available references. Users should avoid opening untrusted todo.txt files in topydo. If possible, upgrade to a version that includes input sanitization once made available [1][2]. The vulnerability is not listed on CISA's KEV as of publication date [1].