Share
## https://sploitus.com/exploit?id=5B50AF5A-FBCC-5C42-A9AF-B44F0C59BCB3
# Flawfinder-ANSI-Exploit-POC
In version 2.0.19 of Flawfinder, no filename sanitization occurs when parsing possibly malicious filenames. Known affected terminals are libvte based, and the example below shows a mate-terminal. 

This exploit has since been fixed in version 2.0.20 as of 5/17/26 by David Wheeler and I. 

Included in this repository is a sample POC bash script and some information about how the exploit works.

# Exploit walkthrough
In a sample directory, include as many files as you like, as shown below:


The files both contain the same C code:
```
#include 
void f(char *s) {
    char buf[8];
    strcpy(buf, s);   /* genuine flawfinder level-4 hit */
}
```

When flawfinder is run on this directory, the following, expected, output is produced:



Now, if I include the following file with the malicious filename:


Rerunning flawfinder produces this output:


This malicious filename hides the output for every file scanned by flawfinder and falsely claims that they have no findings.

Further, running flawfinder with the --csv flag would produce the same results, and saving the output to a "*.csv" file would hide the true results from the end-user.