Skip to main content

electerm CVE-2026-45353

| EUVDEUVD-2026-32960 CRITICAL
Code Injection (CWE-94)
2026-05-14 https://github.com/electerm/electerm GHSA-7p5m-v798-f8vv
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
May 28, 2026 - 18:28 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 18:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 18:22 NVD
9.3 (CRITICAL)
Source Code Evidence Fetched
May 14, 2026 - 22:00 vuln.today
Analysis Generated
May 14, 2026 - 22:00 vuln.today
CVE Published
May 14, 2026 - 20:29 nvd
CRITICAL

DescriptionGitHub Advisory

Impact

_Local code execution without UI interaction: any same-user process can send a JSON payload to electerm's single-instance socket/pipe, causing the app to create tabs and potentially spawn attacker-controlled local processes. Affects electerm single-instance installs on the machine._

Patches

  • https://github.com/electerm/electerm/commit/0599e67069b00e376a2e962649aaad6096e63507

Workarounds

  • Do not run unsafe command

References

  • Report / credit: https://github.com/Curly-Haired-Baboon
  • Electerm releases: https://github.com/electerm/electerm/releases

AnalysisAI

Local code execution in electerm 3.0.6 through 3.8.8 allows any same-user process to send a crafted JSON payload to electerm's single-instance IPC socket/pipe, causing the application to open tabs with attacker-controlled exec paths, arguments, environment variables, and post-connect scripts that spawn arbitrary local processes. No public exploit identified at time of analysis, but the GHSA advisory and patch commit confirm the vulnerability is real, scored CVSS 4.0 9.3 (Critical), and fixed in version 3.9.0 by filtering dangerous tab properties on the IPC boundary.

Technical ContextAI

electerm is an Electron-based open-source SSH/terminal client distributed via npm (pkg:npm/electerm). To enforce single-instance behavior, the app exposes a local IPC channel (a Unix domain socket on macOS/Linux or a named pipe on Windows) that secondary launches use to forward 'open-tab' payloads to the primary instance. The root cause maps to CWE-94 (Improper Control of Generation of Code, 'Code Injection'): the primary instance trusted the JSON payload received over IPC and passed it directly into store.addTab(), where bookmark fields such as execWindows/execMac/execLinux, their *Args counterparts, setEnv, runScripts, and interactiveValues are honored as legitimate session-launch configuration. Because those fields can specify an arbitrary executable path with arguments and environment, accepting them from an unauthenticated local IPC peer turns a UI configuration surface into a command-execution sink. The fix (commit 0599e67) introduces an ipcOpenTab() wrapper that strips a denylist of dangerous tab properties before forwarding the payload to addTab, and comments out the corresponding zod schema fields for IPC-originated bookmarks.

RemediationAI

Vendor-released patch: upgrade electerm to 3.9.0 or later (the commit diff shows the project subsequently shipped 3.9.5, so install the latest available release from https://github.com/electerm/electerm/releases). The fix introduces store.ipcOpenTab(), which strips the dangerous properties execLinux, execMac, execWindows, execWindowsArgs, execMacArgs, execLinuxArgs, setEnv, runScripts, and interactiveValues from any IPC-supplied tab payload before it reaches addTab(). The vendor's only suggested workaround is 'do not run unsafe commands,' which is not a meaningful control for this bug because the threat model is already a same-user process - until you patch, practical compensating controls are: avoid running electerm on shared/multi-user hosts or hosts that execute untrusted code under your UID (build agents, sandboxed browser helpers, npm postinstall hooks, IDE extensions); start electerm with single-instance behavior disabled if your packaging permits it (this trades off the convenience of one window per launch); or run electerm inside its own OS user account / Flatpak / container so other same-user processes cannot reach the socket or named pipe. Consult the GHSA advisory at https://github.com/electerm/electerm/security/advisories/GHSA-7p5m-v798-f8vv for vendor guidance.

Share

CVE-2026-45353 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy