GHSA-FWF6-J56G-M97C
Vulnerability from github – Published: 2026-05-08 18:35 – Updated: 2026-05-08 18:35Impact
Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation.
When a user connects to a malicious SSH server, the attacker can print a crafted URI in the terminal output. If the victim clicks the link, shell.openExternal executes it using the operating system's default protocol handler.
This can be abused to:
- Trigger dangerous protocol handlers (ms-msdt:, search-ms:) for code execution
- Open local files or network shares (file://, UNC paths) to leak NTLM hashes or exfiltrate data
- Launch any installed application associated with a custom URI scheme
An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link.
Patches
As of electerm v3.7.9, no official patch has been released. Users should monitor the project’s GitHub releases and security page for an update addressing this issue.
Workarounds
Until a patch is available: - Do not click on any links displayed in terminal sessions connected to untrusted servers. - If possible, disable hyperlink rendering in electerm's terminal settings. - Use a terminal multiplexer (e.g., tmux) or a separate terminal application that filters URI schemes when working with untrusted hosts. - Consider running electerm in a restricted environment (sandbox, AppArmor, SELinux) that limits the spawning of protocol handlers.
Resources
- electerm GitHub Repository
- electerm Security Policy
- Vulnerability details originally reported by external researcher (confirmed on v3.7.9, Win10).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "electerm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.8.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-43941"
],
"database_specific": {
"cwe_ids": [
"CWE-601",
"CWE-88"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T18:35:17Z",
"nvd_published_at": "2026-05-08T04:16:23Z",
"severity": "HIGH"
},
"details": "### Impact\n\nElecterm\u0027s terminal hyperlink handler passes any URL clicked in the terminal directly to `shell.openExternal` without any protocol validation.\n\nWhen a user connects to a malicious SSH server, the attacker can print a crafted URI in the terminal output. If the victim clicks the link, `shell.openExternal` executes it using the operating system\u0027s default protocol handler.\n\nThis can be abused to:\n- Trigger dangerous protocol handlers (`ms-msdt:`, `search-ms:`) for code execution\n- Open local files or network shares (`file://`, UNC paths) to leak NTLM hashes or exfiltrate data\n- Launch any installed application associated with a custom URI scheme\n\nAn attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim\u0027s machine, requiring only that the victim clicks a displayed link.\n\n### Patches\n\nAs of electerm v3.7.9, no official patch has been released. Users should monitor the project\u2019s [GitHub releases](https://github.com/electerm/electerm/releases) and [security page](https://github.com/electerm/electerm/security) for an update addressing this issue.\n\n### Workarounds\n\nUntil a patch is available:\n- Do not click on any links displayed in terminal sessions connected to untrusted servers.\n- If possible, disable hyperlink rendering in electerm\u0027s terminal settings.\n- Use a terminal multiplexer (e.g., tmux) or a separate terminal application that filters URI schemes when working with untrusted hosts.\n- Consider running electerm in a restricted environment (sandbox, AppArmor, SELinux) that limits the spawning of protocol handlers.\n\n### Resources\n\n- [electerm GitHub Repository](https://github.com/electerm/electerm)\n- [electerm Security Policy](https://github.com/electerm/electerm/security)\n- Vulnerability details originally reported by external researcher (confirmed on v3.7.9, Win10).",
"id": "GHSA-fwf6-j56g-m97c",
"modified": "2026-05-08T18:35:17Z",
"published": "2026-05-08T18:35:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/electerm/electerm/security/advisories/GHSA-fwf6-j56g-m97c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43941"
},
{
"type": "PACKAGE",
"url": "https://github.com/electerm/electerm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.