Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins

X-seq: zsh-workers 54161
From: cyber security <cs7778503@xxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
Date: Thu, 29 Jan 2026 08:25:18 -0800
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=YjLXes1Cpq1N+XnsO7IYCnnxt59Mc5b3BvHdw5PN+KQ=; fh=SbTlPuNNxBzTkRlwWtqw/TXBY0HvGvtE97RpPp3sJPM=; b=NyGLql6uwwyt9syEZi5we9YjNkABez/W/2DKWwY52Nqnbf7I2gjXeLkO7MBryODJwf wqSQtorYvn/+PC9YJeaV9YqDBPzwnJssEEj+knhcHn3LIVicgNXwGz9tkKSKvc3gJkH6 EggbvVDrEoehY29sg1kByThqoJg7VXsnprlD5gubcfk/TSGYFTzeoOVrYpyiYSuSsNYM IAcmD0pU7NKvdF2lL+MYO5qhJ2F6lYixnGld5ZxLUMhtv5St8eaJXM6zrQJneC/Xyd8e YihXf8cQvNqxlTTriWOGZKlY1Ljr/YFpUBC02TtmXhCKyo2MBNaTCbNPYEghKGDlKA1S 9S6g==; darn=zsh.org
Arc-seal: i=1; a=rsa-sha256; t=1769675130; cv=none; d=google.com; s=arc-20240605; b=KabuakjqmUnmChCfiG35pTaV7gel5oT8dQ2zpFP2v60pTAVtSoZc1lrkK31vSLLqhI WFFEkO/58QFnWtfagX8j9Qz0ywYEUoQYXQPVQC6OwJpI9oZmnn/wm8fjJub6VN24R1PH ccOcmPuoerOurCF9L8BLbZh4ge7hvg57Ir0O+QjLN63kD4co0cxoiMhLy+McMUDRHt9c LgBFBfuyC+0WiaH2mGXkrV7BApMDrda54uCvFq3FSxcPmNqjZEoQGJRBsJjht1sNiavj WNXqjlohgxudWPmgoa6bIIYfRc1Vl7SqDPi/X9LdqCSdZ3F6668CCCLpYXHIrdWEw70v yeMQ==
Archived-at: <https://zsh.org/workers/54161>
List-id: <zsh-workers.zsh.org>

Hello Zsh Maintainers,

I am reporting a security issue in Zsh restricted mode (`zsh -r`).

Summary:
Restricted Zsh (`zsh -r`) can be escaped by abusing the `history -w`
and `history -a` built-ins. These commands allow a confined user to
overwrite files in $HOME, such as `.zprofile` or `.zshrc`. On the next
login, these files are sourced, enabling PATH modification and
arbitrary command execution outside the restricted environment. This
undermines the confinement model of restricted shells.

Impact:
A local user placed in restricted mode can break out of confinement
and escalate privileges. This issue is similar to the restricted Bash
(`rbash`) escape disclosed on oss-security (Jan 28, 2026).

Affected Versions:
All current versions of Zsh supporting restricted mode (`zsh -r`).

Mitigation:
Administrators should disable or restrict the use of `history -w` and
`history -a` in restricted environments, ensure $HOME is unwritable,
and harden startup file permissions. Symlinks into writable
directories should also be removed.

References:
- rbash disclosure: https://www.openwall.com/lists/oss-security/2026/01/28/1

I am requesting acknowledgment of this issue and guidance on whether a
patch or configuration hardening will be provided upstream. I am also
requesting a CVE identifier for tracking.

Thank you,
RelunSec

Follow-Ups:
- Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
  - From: Oliver Kiddle
- Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
  - From: Mikael Magnusson

Messages sorted by: Reverse Date, Date, Thread, Author