GHSA-jgg9-rw32-44pjCritical
Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark
🔗 CVE IDs covered (1)
📋 Description
Impact
Persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can inject exec* fields or global config to cause remote code to run when a bookmark is opened or when sync is applied.
Patches
Not yet
Workarounds
- Do not import unsafe data
References
- Report / credit: https://github.com/Curly-Haired-Baboon
- Electerm releases: https://github.com/electerm/electerm/releases
🎯 Affected products1
- npm/electerm:<= 3.8.8