electerm CVE-2026-49253
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Remote malicious server needs no client-side privileges (PR:N) but the victim must accept the transfer (UI:R); arbitrary file overwrite gives I:H with minor A:L and no read, so C:N.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Lifecycle Timeline
1DescriptionGitHub Advisory
Impact
A path traversal vulnerability exists in the Zmodem and Trzsz file download handlers in electerm. When receiving files via Zmodem or Trzsz protocols, electerm uses the remote-supplied filename directly in path.join() with the user-selected download directory without sanitization.
A malicious SSH server or remote shell process can send a specially crafted filename such as ../escaped.txt to escape the user-selected download directory and write files to arbitrary locations on the user's filesystem, subject to process permissions.
Attack scenario:
- User connects to a malicious SSH server
- Attacker initiates a Zmodem or Trzsz file transfer
- Attacker supplies a traversal filename (e.g.,
../../.bashrc,../escaped.txt) - User accepts the transfer and selects a download directory
- File is written outside the selected directory, potentially overwriting sensitive files
Affected components:
src/app/server/zmodem.js-prepareReceiveFile()at line 736src/app/server/trzsz.js-getUniqueFilePath()at line 559,openSaveFile()callback, andsavedFilePathsmapping
Patches
- https://github.com/electerm/electerm/commit/fde153d677a170c5816368f6586647f3af4ef284
Workarounds
If upgrading is not immediately possible, users can mitigate this vulnerability by:
- Only connecting to trusted SSH servers
- Rejecting or canceling any incoming Zmodem or Trzsz file transfers from untrusted sources
- Avoiding the use of Zmodem (
sz/rz) and Trzsz (trz/tsz) commands on untrusted servers
AnalysisAI
Arbitrary file write in electerm via path traversal in its Zmodem and Trzsz file-download handlers lets a malicious SSH server or remote shell overwrite files anywhere the client process can write. When a user accepts an incoming Zmodem (sz/rz) or Trzsz (trz/tsz) transfer, the attacker-supplied filename is passed unsanitized into path.join() with the chosen download directory, so a name like ../../.bashrc escapes that directory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim (1) connect electerm to an attacker-controlled or compromised SSH server or remote shell, (2) that server initiate a Zmodem (sz/rz) or Trzsz (trz/tsz) file transfer, and (3) the victim actively accept the incoming transfer and select a download directory - this user interaction (UI:R) is mandatory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L, base 7.1) is internally consistent with the description: network vector, no privileges, but mandatory user interaction (the victim must accept the transfer and pick a directory), high integrity impact (arbitrary file overwrite) and low availability impact, with no confidentiality loss since this is a write-only primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or has compromised an SSH server waits for a victim to connect with electerm, then initiates a Zmodem or Trzsz push with a crafted filename such as ../../.bashrc or ../escaped.txt. When the victim accepts the transfer and selects any download directory, electerm resolves the traversal and writes the file outside that directory, letting the attacker plant or overwrite a sensitive file (e.g., a shell startup script) within the user's permissions. … |
| Remediation | Upgrade to the electerm release that includes fix commit fde153d677a170c5816368f6586647f3af4ef284 (Upstream fix available as a commit; a specific tagged patched version is not independently confirmed from the provided data - consult the advisory at https://github.com/electerm/electerm/security/advisories/GHSA-38j7-23hf-9mhc for the exact release). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all users and systems running electerm within your environment; consult your software inventory or endpoint management tools to locate installations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-38j7-23hf-9mhc