CVE-2026-35197 Overview
CVE-2026-35197 is a code injection vulnerability discovered in dye, a portable and respectful color library designed for shell scripts. Prior to version 1.1.1, certain dye template expressions could result in the execution of arbitrary code. This vulnerability was discovered and fixed by dye's author and is not known to have been exploited in the wild.
Critical Impact
Arbitrary code execution through maliciously crafted template expressions in shell scripts using the dye library, potentially allowing attackers to compromise systems where vulnerable scripts are executed.
Affected Products
- dye versions prior to 1.1.1
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35197 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35197
Vulnerability Analysis
This vulnerability falls under CWE-94 (Improper Control of Generation of Code - Code Injection). The flaw exists in how dye processes template expressions within shell scripts. When user-controlled or malicious input is passed through certain template expression patterns, the library fails to properly sanitize or validate the input before processing, allowing arbitrary code to be executed in the context of the running shell script.
The local attack vector requires user interaction, meaning an attacker would need to convince a user to execute a script containing malicious template expressions or craft input that gets processed by a vulnerable dye template. Successful exploitation could result in high confidentiality and integrity impacts, allowing attackers to read sensitive data or modify system files, though availability is not affected.
Root Cause
The root cause of this vulnerability lies in improper input validation and sanitization within dye's template expression parser. The library did not adequately escape or restrict template expression content before evaluating it, creating an injection point where shell metacharacters or command sequences could be interpreted and executed. This is a classic code injection pattern where template processing mechanisms inadvertently allow code execution when handling untrusted input.
Attack Vector
The attack vector is local, requiring an attacker to either have local access to craft malicious template expressions or to manipulate input that flows into dye template processing within shell scripts. The attack requires low privileges but does necessitate user interaction—such as a user running a script that processes attacker-controlled data through dye templates.
An attacker could craft specially formatted template expressions that, when processed by vulnerable versions of dye, would break out of the intended template context and execute arbitrary shell commands. This could be delivered through various means such as environment variables, command-line arguments, or file content that gets processed by scripts using the dye library.
Detection Methods for CVE-2026-35197
Indicators of Compromise
- Unexpected shell command execution in logs associated with scripts using the dye library
- Anomalous process spawning from shell scripts that utilize dye for color formatting
- Unusual file access patterns or modifications following execution of scripts with dye dependencies
Detection Strategies
- Audit shell scripts in your environment for dye library usage and verify versions are 1.1.1 or later
- Monitor for unusual command execution patterns originating from scripts known to use color formatting libraries
- Implement file integrity monitoring on critical shell scripts to detect tampering that might introduce malicious template expressions
Monitoring Recommendations
- Enable detailed shell script execution logging to capture template expression processing
- Monitor for suspicious input patterns that may indicate template injection attempts
- Review application logs for any errors or unusual output from dye-related template processing
How to Mitigate CVE-2026-35197
Immediate Actions Required
- Upgrade dye to version 1.1.1 or later immediately
- Audit all shell scripts using dye for potential exposure to untrusted input in template expressions
- Restrict execution of scripts using vulnerable dye versions until patching is complete
- Review and validate any user-controlled input that flows into dye template expressions
Patch Information
The vulnerability has been fixed in dye version 1.1.1. Users should upgrade to this version or later to remediate the vulnerability. The fix was implemented by the dye author who both discovered and patched the issue. For additional details, refer to the GitHub Security Advisory and the MattieBee Template Advisory.
Workarounds
- Avoid processing untrusted or user-controlled input through dye template expressions until the upgrade is complete
- Implement input validation and sanitization for any data that flows into dye templates
- Consider temporarily disabling dye color functionality in security-sensitive scripts until patching is complete
# Upgrade dye to patched version
# Using typical package manager or direct installation
# Verify version after upgrade
dye --version
# Expected: 1.1.1 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
