The getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context). On developer and CI machines, process.env routinely contains secrets such as: AWS_SECRET_ACCESS_KEY / AWS_SESSION_TOKEN GITHUB_TOKEN / NPM_TOKEN OPENAI_API_KEY / DOCKER_AUTH Internal service credentials, API keys, and database …
Arbitrary local code execution via deep links, CLI –opts, or crafted shortcuts. Affected users: electerm installs that accept protocol URLs or CLI options (affected versions listed in the original report). Exploit requires clicking a crafted electerm://… link or opening a crafted shortcut/command that launches electerm with attacker-controlled opts.
A code execution (RCE) vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using open with system editor or open with a custom editor, the filename is passed directly into a command line without sanitization. A malicious actor controlling the SSH server or user OS can exploit this by crafting a filename containing shell metacharacters. If …
The runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation: const file = widget-${widgetId}.js const widget = require(path.join(__dirname, file)) Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse …
Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. When a user connects to a malicious SSH server, the attacker can print a crafted URI in the terminal output. If the victim clicks the link, shell.openExternal executes it using the operating system's default protocol handler. This can be abused to: Trigger dangerous protocol handlers (ms-msdt:, search-ms:) for code execution Open local …
What kind of vulnerability is it? Who is impacted? Command Injection vulnerabilities in electerm: A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf …") command without validation. Who is impacted: Users who run npm install -g electerm in Linux. An attacker who can control the remote release metadata (version string or release name) served by the project's update server …
What kind of vulnerability is it? Who is impacted? Command Injection vulnerabilities in electerm: A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open …") command without validation. Who is impacted: Users who run npm install -g electerm in Mac OS. An attacker who can control the remote release metadata (version string or release name) served by the project's update server could …
What kind of vulnerability is it? Who is impacted? Two Command Injection vulnerabilities in electerm: macOS Installer (electerm_CommandInjection_02): A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open …") command without validation. Linux Installer (electerm_CommandInjection_01): A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf …") command without validation. Who is impacted: …