GHSA-v5ff-xmfp-p245HighCVSS 8.8
electerm has Command Injection in File System Operations (rmrf, mv, cp)
🔗 CVE IDs covered (1)
📋 Description
Impact
A command injection vulnerability exists in electerm's file system operations (rmrf, mv, cp) in src/app/lib/fs.js. These functions construct shell commands by interpolating file paths directly into command strings without escaping shell metacharacters.
Vulnerable functions:
rmrf()- Usesrm -rf "${path}"(double quotes, vulnerable to"injection)mv()- Usesmv '${from}' '${to}'(single quotes, vulnerable to'injection)cp()- Usescp -r "${from}" "${to}"(double quotes, vulnerable to"injection)
Attack scenario:
- Attacker controls a malicious SSH/SFTP server
- Server lists files with shell metacharacters in names (e.g.,
file"$(touch /tmp/pwned)") - Victim connects to the server and performs file operations (remote-to-local transfer, rename on conflict, etc.)
- The malicious filename is passed to
rmrf(),mv(), orcp()without sanitization - Shell metacharacters break out of the quoted argument and execute arbitrary commands
Impact includes:
- Arbitrary command execution as the electerm desktop user
- Data exfiltration, malware installation, or system compromise
- Both POSIX (bash) and Windows (PowerShell) platforms are affected
Patches
- https://github.com/electerm/electerm/commit/aa778818843b9c083bd711cd04644d102fcb5a42
Workarounds
If upgrading is not immediately possible, users can mitigate this vulnerability by:
- Only connecting to trusted SSH/SFTP servers
- Avoiding remote-to-local file transfers from untrusted sources
- Not using the "rename on conflict" option when downloading folders from untrusted servers
- Manually verifying filenames before performing file operations
🎯 Affected products1
- npm/electerm:<= 3.11.0