GHSA-WXW2-RWMH-VR8F

Vulnerability from github – Published: 2026-04-16 21:24 – Updated: 2026-04-16 21:24
VLAI?
Summary
electerm: electerm_install_script_CommandInjection Vulnerability Report
Details

Impact

What kind of vulnerability is it? Who is impacted?

Two Command Injection vulnerabilities in electerm:

  1. macOS Installer (electerm_CommandInjection_02): A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation.

  2. Linux Installer (electerm_CommandInjection_01): A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation.

Who is impacted: Users who run npm install -g electerm. An attacker who can control the remote release metadata (version string or release name) served by the project's update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.

Patches

Has the problem been patched? What versions should users upgrade to?

Fixed in 59708b38c8a52f5db59d7d4eff98e31d573128ee, user no need to upgrade, the new version already published in npm

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

no

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "electerm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:24:22Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\n**Two Command Injection vulnerabilities in electerm:**\n\n1. **macOS Installer** (`electerm_CommandInjection_02`): A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:150`. The `runMac()` function appends attacker-controlled remote `releaseInfo.name` directly into an `exec(\"open ...\")` command without validation.\n\n2. **Linux Installer** (`electerm_CommandInjection_01`): A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:130`. The `runLinux()` function appends attacker-controlled remote version strings directly into an `exec(\"rm -rf ...\")` command without validation.\n\n**Who is impacted:** Users who run `npm install -g electerm`. An attacker who can control the remote release metadata (version string or release name) served by the project\u0027s update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.\n\n---\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nFixed in [59708b38c8a52f5db59d7d4eff98e31d573128ee](https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee), user no need to upgrade, the new version already published in npm\n\n---\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nno",
  "id": "GHSA-wxw2-rwmh-vr8f",
  "modified": "2026-04-16T21:24:22Z",
  "published": "2026-04-16T21:24:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/electerm/electerm/security/advisories/GHSA-wxw2-rwmh-vr8f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/electerm/electerm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "electerm: electerm_install_script_CommandInjection Vulnerability Report"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.