changelog: serial sanitization and optional rate limiting

kalyazin · kalyazin · commit 4468f303d038 · 2026-04-09T12:07:40.000Z
Add an entry under [Unreleased] &gt; Added describing the new serial
console output sanitization and optional rate limiting features.

Signed-off-by: Nikita Kalyazin &lt;kalyazin@amazon.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,12 @@ and this project adheres to
   support for Vsock Unix domain socket path overriding on snapshot restore. More
   information can be found in the
   [docs](docs/vsock.md/#unix-domain-socket-renaming).
+- [#5824](https://github.com/firecracker-microvm/firecracker/pull/5824): Add
+  output sanitization to the serial console. Non-printable and control bytes are
+  replaced with `\xNN` hex escapes, preventing terminal escape injection from
+  guest to host. Add optional rate limiting to serial console output,
+  configurable via the `rate_limiter` field on `PUT /serial`. Two new metrics
+  are exposed under `uart`: `rate_limiter_dropped_bytes` and `sanitized_bytes`.
 
 ### Changed
 
