An attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys (both --dkim and --dkim-dns), SSH keys (--ssh-lines mode), and filenames in various modes.
This has been fixed with the following commits:
https://github.com/badkeys/badkeys/commit/de631f69f040974bb5fb442cdab9a1d904c64087
https://github.com/badkeys/badkeys/commit/635a2f3b1b50a895d8b09ec8629efc06189f349a
All users should upgrade badkeys to version 0.0.16.
https://github.com/badkeys/badkeys/issues/40
| Score | Percentile |
|---|---|
| 0.01% | 2.60% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 2.0 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-wjpc-4f29-83h3 ↗ |
| CVE | CVE-2026-21439 ↗ |
| CWE id | Name |
|---|---|
| CWE-150 | Improper Neutralization of Escape, Meta, or Control Sequences |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | badkeys | <= 0.0.15 | 0.0.16 | — |