electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation. This issue has been patched in version 3.3.8.
The runLinux() function in the npm/install.js file (line 130) retrieves a remote version string and inserts it directly into the exec("rm -rf ...") command without any validation or sanitization. An attacker can provide a crafted version string containing additional system commands that will be executed in the context of the Electerm process. Since the attack vector is network-based, it does not require user interaction or any privileges, making this vulnerability particularly dangerous.
An attacker can execute arbitrary system commands on the victim's machine, leading to complete compromise of confidentiality, integrity, and availability of the system (RCE). Possible consequences include data theft, malware installation, and complete host compromise.
Electerm should be updated to version 3.3.8 or newer, where the issue has been fixed. The patch is available in the vendor's GitHub repository (commit 59708b38c8a52f5db59d7d4eff98e31d573128ee) and in release v3.3.8.
Electerm (electerm-project/electerm) in all versions before 3.3.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HElecterm Project Electerm
APPElecterm Project< 3.3.8
Related vulnerabilities
Krytyczna podatność w kliencie electerm (wersje 3.0.6–3.8.8)
Command injection w electerm — wykonanie kodu przez złośliwe releaseInfo.name
RCE w Electerm — brak walidacji protokołu URL w handlerze hiperłączy
RCE w electerm — wykonanie kodu przez deep links i spreparowane skróty
An issue was discovered in Electerm 1.3.22, allows attackers to execute arbitrary code via unverified request ...