CVE-2023-49284
CVE-2023-49284 is a low-severity vulnerability in Fishshell Fish with a CVSS 3.x base score of 3.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-436.
Key facts
- Severity: Low (CVSS 3.x base score 3.9)
- EPSS exploit prediction: 0% (38th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-436
- Affected product: Fishshell Fish
- Published:
- Last modified:
Description
fish is a smart and user-friendly command line shell for macOS, Linux, and the rest of the family. fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. While this may cause unexpected behavior with direct input (for example, echo \UFDD2HOME has the same output as echo $HOME), this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected. This design flaw was introduced in very early versions of fish, predating the version control system, and is thought to be present in every version of fish released in the last 15 years or more, although with different characters. Code execution does not appear to be possible, but denial of service (through large brace expansion) or information disclosure (such as variable expansion) is potentially possible under certain circumstances. fish shell 3.6.2 has been released to correct this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Frequently asked questions
- What is CVE-2023-49284?
- fish is a smart and user-friendly command line shell for macOS, Linux, and the rest of the family. fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. While this may cause unexpected behavior with direct input (for example, echo \UFDD2HOME has the same output as echo $HOME), this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected. This design flaw was introduced in very early versions of fish, predating the version control system, and is thought to be present in every version of fish released in the last 15 years or more, although with different characters. Code execution does not appear to be possible, but denial of service (through large brace expansion) or information disclosure (such as variable expansion) is potentially possible under certain circumstances. fish shell 3.6.2 has been released to correct this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- How severe is CVE-2023-49284?
- CVE-2023-49284 has a CVSS 3.x base score of 3.9, rated low severity. It is exploitable over local access with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity none, and availability low.
- Is CVE-2023-49284 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (38th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-49284?
- CVE-2023-49284 affects Fishshell Fish. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-49284?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-49284 published?
- CVE-2023-49284 was published on 2023-12-05 and last updated on 2026-06-17.
References
- http://www.openwall.com/lists/oss-security/2023/12/08/1
- https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14
- https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f
Affected products (1)
- cpe:2.3:a:fishshell:fish:*:*:*:*:*:*:*:*
More vulnerabilities in Fishshell Fish
- CVE-2014-2914 — Critical (CVSS 9.8): fish (aka fish-shell) 2.0.0 before 2.1.1 does not restrict access to the configuration service (aka fish_config), which…
- CVE-2022-20001 — High (CVSS 7.8): fish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git…
- CVE-2014-3219 — High (CVSS 7.8): fish before 2.1.1 allows local users to write to arbitrary files via a symlink attack on (1) /tmp/fishd.log.%s, (2)…
- CVE-2014-3856 — High (CVSS 7.0): The funced function in fish (aka fish-shell) 1.23.0 before 2.1.1 does not properly create temporary files, which allows…
- CVE-2014-2906 — High (CVSS 7.0): The psub function in fish (aka fish-shell) 1.16.0 before 2.1.1 does not properly create temporary files, which allows…
- CVE-2014-2905 — Medium (CVSS 6.9): fish (aka fish-shell) 1.16.0 before 2.1.1 does not properly check the credentials, which allows local users to gain…
All CVEs affecting Fishshell Fish →
Other CWE-436 vulnerabilities
- CVE-2023-24813 — Critical (CVSS 10.0): Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and…
- CVE-2026-8034 — Critical (CVSS 9.8): A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that…
- CVE-2021-45327 — Critical (CVSS 9.8): Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable…
- CVE-2020-10180 — Critical (CVSS 9.8): The ESET AV parsing engine allows virus-detection bypass via a crafted BZ2 Checksum field in an archive. This affects…
- CVE-2019-19589 — Critical (CVSS 9.8): The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are…
- CVE-2026-14198 — Critical (CVSS 9.1): @fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching…