## https://sploitus.com/exploit?id=5B50AF5A-FBCC-5C42-A9AF-B44F0C59BCB3
# Flawfinder-ANSI-Exploit-POC
In version 2.0.19 of Flawfinder, no filename sanitization occurs when parsing possibly malicious filenames. Known affected terminals are libvte based, and the example below shows a mate-terminal.
This exploit has since been fixed in version 2.0.20 as of 5/17/26 by David Wheeler and I.
Included in this repository is a sample POC bash script and some information about how the exploit works.
# Exploit walkthrough
In a sample directory, include as many files as you like, as shown below:
The files both contain the same C code:
```
#include
void f(char *s) {
char buf[8];
strcpy(buf, s); /* genuine flawfinder level-4 hit */
}
```
When flawfinder is run on this directory, the following, expected, output is produced:
Now, if I include the following file with the malicious filename:
Rerunning flawfinder produces this output:
This malicious filename hides the output for every file scanned by flawfinder and falsely claims that they have no findings.
Further, running flawfinder with the --csv flag would produce the same results, and saving the output to a "*.csv" file would hide the true results from the end-user.