Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Impact
_Local code execution without UI interaction: any same-user process can send a JSON payload to electerm's single-instance socket/pipe, causing the app to create tabs and potentially spawn attacker-controlled local processes. Affects electerm single-instance installs on the machine._
Patches
- https://github.com/electerm/electerm/commit/0599e67069b00e376a2e962649aaad6096e63507
Workarounds
- Do not run unsafe command
References
- Report / credit: https://github.com/Curly-Haired-Baboon
- Electerm releases: https://github.com/electerm/electerm/releases
AnalysisAI
Local code execution in electerm 3.0.6 through 3.8.8 allows any same-user process to send a crafted JSON payload to electerm's single-instance IPC socket/pipe, causing the application to open tabs with attacker-controlled exec paths, arguments, environment variables, and post-connect scripts that spawn arbitrary local processes. No public exploit identified at time of analysis, but the GHSA advisory and patch commit confirm the vulnerability is real, scored CVSS 4.0 9.3 (Critical), and fixed in version 3.9.0 by filtering dangerous tab properties on the IPC boundary.
Technical ContextAI
electerm is an Electron-based open-source SSH/terminal client distributed via npm (pkg:npm/electerm). To enforce single-instance behavior, the app exposes a local IPC channel (a Unix domain socket on macOS/Linux or a named pipe on Windows) that secondary launches use to forward 'open-tab' payloads to the primary instance. The root cause maps to CWE-94 (Improper Control of Generation of Code, 'Code Injection'): the primary instance trusted the JSON payload received over IPC and passed it directly into store.addTab(), where bookmark fields such as execWindows/execMac/execLinux, their *Args counterparts, setEnv, runScripts, and interactiveValues are honored as legitimate session-launch configuration. Because those fields can specify an arbitrary executable path with arguments and environment, accepting them from an unauthenticated local IPC peer turns a UI configuration surface into a command-execution sink. The fix (commit 0599e67) introduces an ipcOpenTab() wrapper that strips a denylist of dangerous tab properties before forwarding the payload to addTab, and comments out the corresponding zod schema fields for IPC-originated bookmarks.
RemediationAI
Vendor-released patch: upgrade electerm to 3.9.0 or later (the commit diff shows the project subsequently shipped 3.9.5, so install the latest available release from https://github.com/electerm/electerm/releases). The fix introduces store.ipcOpenTab(), which strips the dangerous properties execLinux, execMac, execWindows, execWindowsArgs, execMacArgs, execLinuxArgs, setEnv, runScripts, and interactiveValues from any IPC-supplied tab payload before it reaches addTab(). The vendor's only suggested workaround is 'do not run unsafe commands,' which is not a meaningful control for this bug because the threat model is already a same-user process - until you patch, practical compensating controls are: avoid running electerm on shared/multi-user hosts or hosts that execute untrusted code under your UID (build agents, sandboxed browser helpers, npm postinstall hooks, IDE extensions); start electerm with single-instance behavior disabled if your packaging permits it (this trades off the convenience of one window per launch); or run electerm inside its own OS user account / Flatpak / container so other same-user processes cannot reach the socket or named pipe. Consult the GHSA advisory at https://github.com/electerm/electerm/security/advisories/GHSA-7p5m-v798-f8vv for vendor guidance.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32960
GHSA-7p5m-v798-f8vv