Package Instance

Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click
### Impact

Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to `shell.openExternal` without any protocol validation.

When a user connects to a malicious SSH server, the attacker can print a crafted URI in the terminal output. If the victim clicks the link, `shell.openExternal` executes it using the operating system's default protocol handler.

This can be abused to:
- Trigger dangerous protocol handlers (`ms-msdt:`, `search-ms:`) for code execution
- Open local files or network shares (`file://`, UNC paths) to leak NTLM hashes or exfiltrate data
- Launch any installed application associated with a custom URI scheme

An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link.

### Patches

As of electerm v3.7.9, no official patch has been released. Users should monitor the project’s [GitHub releases](https://github.com/electerm/electerm/releases) and [security page](https://github.com/electerm/electerm/security) for an update addressing this issue.

### Workarounds

Until a patch is available:
- Do not click on any links displayed in terminal sessions connected to untrusted servers.
- If possible, disable hyperlink rendering in electerm's terminal settings.
- Use a terminal multiplexer (e.g., tmux) or a separate terminal application that filters URI schemes when working with untrusted hosts.
- Consider running electerm in a restricted environment (sandbox, AppArmor, SELinux) that limits the spawning of protocol handlers.

### Resources

- [electerm GitHub Repository](https://github.com/electerm/electerm)
- [electerm Security Policy](https://github.com/electerm/electerm/security)
- Vulnerability details originally reported by external researcher (confirmed on v3.7.9, Win10).

Electerm's full process.env exposed to renderer via window.pre.env
### Impact

The `getConstants()` IPC handler in `src/app/lib/ipc-sync.js` serialises the entire `process.env` object and sends it to the renderer. The data is stored as `window.pre.env` and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context).

On developer and CI machines, `process.env` routinely contains secrets such as:

- `AWS_SECRET_ACCESS_KEY` / `AWS_SESSION_TOKEN`
- `GITHUB_TOKEN` / `NPM_TOKEN`
- `OPENAI_API_KEY` / `DOCKER_AUTH`
- Internal service credentials, API keys, and database URLs

An attacker who achieves any JavaScript execution within the renderer—for example, through a malicious plugin, a cross-site scripting (XSS) flaw, or the terminal hyperlink execution chain—can trivially exfiltrate these secrets to a remote server, leading to cloud account compromise, supply chain attacks, and lateral movement. The exposure is visible even without any code execution by simply opening the "Info" modal in the application, though that requires local access.

### Patches

A patch is yet to be available.

### Workarounds

Until a patch is released:
- Avoid launching electerm with sensitive environment variables set. Use shell scripts or a dedicated terminal profile that clears secrets before starting the application.
- Do not install plugins from untrusted sources, and audit any installed plugins for network access.
- Keep the renderer context as locked down as possible: disable the remote debugging port, and do not paste untrusted code into the DevTools console.

### Resources
- [electerm GitHub Repository](https://github.com/electerm/electerm)
- [electerm Security Policy](https://github.com/electerm/electerm/security)
- Vulnerability details originally reported by external researcher (confirmed on v3.7.9, Win10).

Electerm runWidget has a path traversal that leads to arbitrary code execution
### Impact
The `runWidget` function in `src/app/widgets/load-widget.js` constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation:

```javascript
const file = `widget-${widgetId}.js`
const widget = require(path.join(__dirname, file))
```

Because `runWidget` is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a **path traversal** (`../`) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise.

### Patches

Fixed in version >= 3.7.16

### Workarounds
Until a patch is released:
- Do not install or run untrusted plugins.
- Avoid loading arbitrary web content inside electerm’s embedded webview (for example, disable any features that fetch and display remote HTML).
- Run electerm in a sandboxed environment (e.g., with `bubblewrap` on Linux, AppArmor/SELinux profiles, or Windows sandboxed app execution) to limit the impact of any code execution.

### Resources
- [electerm GitHub Repository](https://github.com/electerm/electerm)
- [electerm Security Policy](https://github.com/electerm/electerm/security)
- Vulnerability details originally reported by external researcher (PoC confirmed on v3.7.9, Win10).

electerm has Command Injection via runLinux funtion
### Impact
_What kind of vulnerability is it? Who is impacted?_

**Command Injection vulnerabilities in electerm:**

A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:130`. The `runLinux()` function appends attacker-controlled remote version strings directly into an `exec("rm -rf ...")` command without validation.

**Who is impacted:** Users who run `npm install -g electerm` in Linux. An attacker who can control the remote release metadata (version string or release name) served by the project's update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.

---

### Patches
_Has the problem been patched? What versions should users upgrade to?_

Fixed in [59708b38c8a52f5db59d7d4eff98e31d573128ee](https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee), user no need to upgrade, the new version already published in npm

---

### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_

no

electerm: electerm_install_script_CommandInjection Vulnerability Report
### Impact
_What kind of vulnerability is it? Who is impacted?_

**Command Injection vulnerabilities in electerm:**

A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:150`. The `runMac()` function appends attacker-controlled remote `releaseInfo.name` directly into an `exec("open ...")` command without validation.

**Who is impacted:** Users who run `npm install -g electerm` in Mac OS. An attacker who can control the remote release metadata (version string or release name) served by the project's update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.

---

### Patches
_Has the problem been patched? What versions should users upgrade to?_

Fixed in [59708b38c8a52f5db59d7d4eff98e31d573128ee](https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee), user no need to upgrade, the new version already published in npm

---

### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_

no

---

### References
_Are there any links users can visit to find out more?_

[59708b38c8a52f5db59d7d4eff98e31d573128ee](https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee)

Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor
### Impact

A code execution (RCE) vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using open with system editor or open with a custom editor, the filename is passed directly into a command line without sanitization.

A malicious actor controlling the SSH server or user OS can exploit this by crafting a filename containing shell metacharacters. If a victim subsequently attempts to edit this file, the injected commands are executed on their machine with the user's privileges. This could allow the attacker to run arbitrary code, install malware, or move laterally within the network.

<img width="1792" height="817" alt="1" src="https://github.com/user-attachments/assets/ddf78890-e95d-4fe7-981e-f86887677e8b" />
<img width="1648" height="941" alt="2" src="https://github.com/user-attachments/assets/cca2295b-2053-4d99-a464-be51eac2f5be" />

### Patches

Fixed in version >= 3.7.9

- https://github.com/electerm/electerm/commit/24ce7103e264cffe6eb5476c0506a2379e6f8333

### Workarounds

Until a patch is available, it is strongly recommended to:  
- Refrain from using the open with system editor  or "Edit with custom editor" feature when connected to untrusted or unfamiliar SSH servers.  
- Consider using the built-in editor for viewing files, as this path may not be vulnerable to the same injection.  
- If the feature must be used, ensure connections are exclusively established with trusted servers and perform rigorous filename validation before editing.

### Resources

- [electerm GitHub Repository](https://github.com/electerm/electerm)