Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches.
AnalysisAI
Arbitrary code execution in Electerm terminal client (≤3.8.15) allows attackers who control terminal output to execute commands or access local files when victims click hyperlinks. The unvalidated shell.openExternal call accepts any protocol scheme, enabling 'file://' URIs for local file access or platform-specific handlers for code execution. No vendor-released patch identified at time of analysis. GitHub Security Advisory GHSA-fwf6-j56g-m97c confirms the vulnerability. CVSS 9.6 reflects high impact across confidentiality, integrity, and availability with scope change, though exploitation requires user interaction (clicking a malicious link).
Technical ContextAI
Electerm is an Electron-based terminal emulator supporting SSH, SFTP, Telnet, RDP, VNC, and serial connections. The vulnerability stems from CWE-88 (Improper Neutralization of Argument Delimiters) in the hyperlink handling code. When terminal escape sequences render clickable URLs, Electerm invokes Electron's shell.openExternal API without protocol whitelisting. This API delegates to the operating system's default handler for any URI scheme - 'http:', 'file:', custom protocol handlers, or executable wrappers. An attacker controlling terminal output (through compromised SSH servers, malicious remote hosts, or plugins) can inject ANSI escape sequences with crafted URLs. The CVSS vector AV:N indicates network attack vector because remote servers generate terminal content; S:C (scope change) reflects breaking out of the application context into OS-level execution.
RemediationAI
No vendor-released patch identified at time of analysis per the description stating 'no publicly available patches.' Monitor GitHub Security Advisory GHSA-fwf6-j56g-m97c for updates. Immediate compensating controls: (1) Disable hyperlink rendering in Electerm terminal settings if available - prevents clickable links entirely, eliminating attack surface at cost of usability. (2) Train users not to click terminal-rendered URLs; manually copy/paste into browser address bar after inspecting protocol scheme. This introduces friction in legitimate workflows where terminal links provide operational value. (3) Restrict Electerm usage to trusted remote hosts only; treat any SSH server, RDP gateway, or VNC host as potential attack vector. Side effect: limits Electerm's utility for ad-hoc remote access. (4) Run Electerm in sandboxed environment (containerized, VM, or restricted user account) to contain shell.openExternal execution scope; does not prevent exploitation but limits lateral movement. (5) Network-level controls: monitor outbound connections from Electerm process for unexpected protocols or destinations. Consult the GitHub advisory for potential upstream fixes or recommended settings changes as vendor response evolves.
Arbitrary local code execution in electerm (versions 3.0.6-3.8.14) allows remote attackers to execute malicious code on
Path traversal in electerm's IPC widget loader allows local code execution with full process privileges when an attacker
Command injection in electerm's SFTP file editor feature allows arbitrary code execution when users edit files with mali
electerm 3.8.15 and prior exposes environment variables containing secrets through the getConstants() IPC handler, which
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28513
GHSA-fwf6-j56g-m97c