Critical Security Fix in iTerm2

iTerm2, the widely-used terminal emulator for macOS, has rolled out version 3.5.11, released on January 2, 2025. This update addresses a significant security flaw affecting users who used the SSH integration feature in versions 3.5.6 through 3.5.10, including their beta versions.

The issue stems from a problem in the SSH integration feature. Under certain conditions, it caused input and output to be logged in a file called /tmp/framer.txt on the remote host. This file could potentially be accessed by other users on the same host, putting sensitive information at risk.

When and Why This Vulnerability Happens

This vulnerability is triggered when two specific conditions are met:

You used SSH Integration: This includes cases where the it2ssh command was used, or where the Command dropdown in Settings > Profiles > General was set to "SSH" with the "SSH Integration" option enabled.

The remote host runs Python 3.7 or later: The vulnerability is only present if Python 3.7 or a later version is installed in the default search path of the remote host.

What You Should Do

To protect yourself, make sure to update iTerm2 to version 3.5.11 as soon as possible. Additionally, check and remove the /tmp/framer.txt file from any remote hosts you connected to using the affected versions.