Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Impact
_Persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can inject exec* fields or global config to cause remote code to run when a bookmark is opened or when sync is applied._
Patches
Not yet
Workarounds
- Do not import unsafe data
References
- Report / credit: https://github.com/Curly-Haired-Baboon
- Electerm releases: https://github.com/electerm/electerm/releases
AnalysisAI
Code execution in Electerm (npm package, versions <= 3.8.8) allows attackers to achieve persistent local-pty code execution by tricking users into importing malicious bookmark JSON files or by compromising configured sync targets (Gist/WebDAV). The flaw stems from unsafe handling of bookmark fields (exec*) and global config entries, which are executed when a bookmark is opened or when sync is applied. No public exploit identified at time of analysis, and no vendor-released patch is identified at time of analysis.
Technical ContextAI
Electerm is an open-source Electron-based SSH/terminal/SFTP client distributed via npm. The root cause is CWE-94 (Improper Control of Generation of Code, i.e., code injection): bookmark JSON imports and synced configuration data are deserialized into runtime configuration containing exec* fields that the application later executes via a local pseudo-terminal (pty). Because the application uses Electron and spawns shell processes from user-controlled bookmark metadata without sufficient validation, attacker-supplied JSON effectively becomes shell command input. The CPE pkg:npm/electerm identifies the affected package, and the GitHub Security Advisory GHSA-jgg9-rw32-44pj scopes the impact to all versions through 3.8.8.
RemediationAI
No vendor-released patch identified at time of analysis - the GHSA advisory explicitly states 'Patches: Not yet' and no fixed version is listed in the npm advisory. Until a patched release appears at https://github.com/electerm/electerm/releases, the only vendor-suggested workaround is to avoid importing bookmark JSON from untrusted sources; in addition, security teams should disable or unconfigure third-party bookmark sync (Gist/WebDAV) when the sync endpoint is not fully controlled, since a compromised sync target also triggers this issue, accepting the trade-off of losing cross-device bookmark synchronization. Organizations may also restrict execution of Electerm to managed endpoints, block bookmark imports through endpoint policy or application allow-listing, and audit existing bookmark files for unexpected exec* fields or unusual global config entries before re-importing.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32961
GHSA-jgg9-rw32-44pj