Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16.
AnalysisAI
Path traversal in electerm's IPC widget loader allows local code execution with full process privileges when an attacker achieves JavaScript execution in the renderer process. Affects all versions prior to 3.7.16. The vulnerability enables filesystem-wide arbitrary JavaScript file loading and execution through unsanitized path concatenation in runWidget function, bypassing Electron's process isolation. Vendor-released patch available in version 3.7.16. EPSS data not available; no confirmed active exploitation (not in CISA KEV).
Technical ContextAI
electerm is an Electron-based terminal emulator supporting multiple protocols (SSH, SFTP, Telnet, RDP, VNC, Spice). The vulnerability exists in the main-to-renderer IPC (Inter-Process Communication) bridge architecture inherent to Electron applications. The runWidget function in src/app/widgets/load-widget.js accepts widget identifiers from the renderer process via an async IPC handler and directly concatenates them into filesystem paths without validation. This is a classic CWE-22 path traversal vulnerability where directory traversal sequences (../) can escape the intended widget directory. Because Electron's main process runs with full Node.js privileges while the renderer is sandboxed, exposing filesystem operations to renderer-controlled input creates a privilege escalation vector. The flaw breaks the security boundary between sandboxed renderer code and privileged main process operations.
RemediationAI
Upgrade to electerm version 3.7.16 immediately, available at https://github.com/electerm/electerm/releases/tag/v3.7.16. The patch implements input validation and sanitization in the runWidget IPC handler to prevent directory traversal sequences. If immediate upgrade is not feasible, implement strict compensating controls: disable all third-party widget and plugin loading functionality if the application exposes such features; restrict electerm to processing only trusted terminal sessions without embedded webviews or user-supplied content; run electerm under a restricted user account with minimal filesystem permissions to limit post-exploitation impact (note: this reduces but does not eliminate risk as the attacker still inherits the restricted user's privileges). Review application logs for suspicious widget loading attempts (look for paths containing ../ sequences). These mitigations carry operational trade-offs - disabling plugins may break legitimate workflows, and restricted accounts may limit integration with system tools.
Arbitrary local code execution in electerm (versions 3.0.6-3.8.14) allows remote attackers to execute malicious code on
Arbitrary code execution in Electerm terminal client (≤3.8.15) allows attackers who control terminal output to execute c
Command injection in electerm's SFTP file editor feature allows arbitrary code execution when users edit files with mali
electerm 3.8.15 and prior exposes environment variables containing secrets through the getConstants() IPC handler, which
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28512
GHSA-f77v-9vpc-6pjm