CVE-2019-0542
Description
Xterm.js mishandles special characters, allowing remote code execution in applications using the library.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Xterm.js mishandles special characters, allowing remote code execution in applications using the library.
Vulnerability
A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters during terminal output processing. This affects all versions of xterm.js prior to the fix incorporated in Red Hat OpenShift Container Platform updates [2]. The vulnerability was disclosed in January 2019.
Exploitation
An attacker can exploit this vulnerability by sending crafted special characters to an application that uses Xterm.js to render terminal output. No authentication is required if the attacker can inject data into the terminal stream. The specific mechanism involves mishandling of escape sequences or control characters that trigger unintended code execution.
Impact
Successful exploitation allows remote code execution in the context of the application using Xterm.js. The attack can lead to full compromise of the affected system, including data disclosure, modification, or denial of service.
Mitigation
Red Hat has released security updates for OpenShift Container Platform 3.10 and 3.11 (RHSA-2019:2552 [3] and RHSA-2019:1422 [4]) that include a patched version of xterm.js. Users of xterm.js directly should update to the latest version of the library or apply vendor-provided patches. No specific fixed version of xterm.js is mentioned in the available references.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
xtermnpm | < 3.8.1 | 3.8.1 |
xtermnpm | >= 3.9.0, < 3.9.2 | 3.9.2 |
xtermnpm | >= 3.10.0, < 3.10.1 | 3.10.1 |
Affected products
2- https://xtermjs.org//xterm.jsv5Range: xterm.js
Patches
13592c641cd03Remove request term info handler
1 file changed · +1 −22
src/InputHandler.ts+1 −22 modified@@ -25,26 +25,6 @@ const GLEVEL: {[key: string]: number} = {'(': 0, ')': 1, '*': 2, '+': 3, '-': 1, * DCS subparser implementations */ - /** - * DCS + q Pt ST (xterm) - * Request Terminfo String - * not supported - */ -class RequestTerminfo implements IDcsHandler { - private _data: string; - constructor(private _terminal: any) { } - hook(collect: string, params: number[], flag: number): void { - this._data = ''; - } - put(data: string, start: number, end: number): void { - this._data += data.substring(start, end); - } - unhook(): void { - // invalid: DCS 0 + r Pt ST - this._terminal.handler(`${C0.ESC}P0+r${this._data}${C0.ESC}\\`); - } -} - /** * DCS $ q Pt ST * DECRQSS (https://vt100.net/docs/vt510-rm/DECRQSS.html) @@ -87,7 +67,7 @@ class DECRQSS implements IDcsHandler { default: // invalid: DCS 0 $ r Pt ST (xterm) this._terminal.error('Unknown DCS $q %s', this._data); - this._terminal.handler(`${C0.ESC}P0$r${this._data}${C0.ESC}\\`); + this._terminal.handler(`${C0.ESC}P0$r${C0.ESC}\\`); } } } @@ -288,7 +268,6 @@ export class InputHandler extends Disposable implements IInputHandler { * DCS handler */ this._parser.setDcsHandler('$q', new DECRQSS(this._terminal)); - this._parser.setDcsHandler('+q', new RequestTerminfo(this._terminal)); } public dispose(): void {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- access.redhat.com/errata/RHBA-2019:0959ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:1422ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2551ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2552ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-mc23-976p-j42xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-0542ghsaADVISORY
- www.securityfocus.com/bid/106434ghsavdb-entryx_refsource_BIDWEB
- github.com/xtermjs/xterm.js/commit/3592c641cd0348e0b698e8a180aea2072c6bcd9aghsaWEB
- github.com/xtermjs/xterm.js/releasesmitrex_refsource_MISC
- github.com/xtermjs/xterm.js/releases/tag/3.8.1ghsaWEB
News mentions
0No linked articles in our index yet.