Skip to main content

electerm CVE-2026-49253

HIGH
Path Traversal (CWE-22)
2026-07-02 https://github.com/electerm/electerm GHSA-38j7-23hf-9mhc
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
vuln.today AI
7.1 HIGH

Remote malicious server needs no client-side privileges (PR:N) but the victim must accept the transfer (UI:R); arbitrary file overwrite gives I:H with minor A:L and no read, so C:N.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 19:50 vuln.today

DescriptionGitHub Advisory

Impact

A path traversal vulnerability exists in the Zmodem and Trzsz file download handlers in electerm. When receiving files via Zmodem or Trzsz protocols, electerm uses the remote-supplied filename directly in path.join() with the user-selected download directory without sanitization.

A malicious SSH server or remote shell process can send a specially crafted filename such as ../escaped.txt to escape the user-selected download directory and write files to arbitrary locations on the user's filesystem, subject to process permissions.

Attack scenario:

  1. User connects to a malicious SSH server
  2. Attacker initiates a Zmodem or Trzsz file transfer
  3. Attacker supplies a traversal filename (e.g., ../../.bashrc, ../escaped.txt)
  4. User accepts the transfer and selects a download directory
  5. File is written outside the selected directory, potentially overwriting sensitive files

Affected components:

  • src/app/server/zmodem.js - prepareReceiveFile() at line 736
  • src/app/server/trzsz.js - getUniqueFilePath() at line 559, openSaveFile() callback, and savedFilePaths mapping

Patches

  • https://github.com/electerm/electerm/commit/fde153d677a170c5816368f6586647f3af4ef284

Workarounds

If upgrading is not immediately possible, users can mitigate this vulnerability by:

  1. Only connecting to trusted SSH servers
  2. Rejecting or canceling any incoming Zmodem or Trzsz file transfers from untrusted sources
  3. Avoiding the use of Zmodem (sz/rz) and Trzsz (trz/tsz) commands on untrusted servers

AnalysisAI

Arbitrary file write in electerm via path traversal in its Zmodem and Trzsz file-download handlers lets a malicious SSH server or remote shell overwrite files anywhere the client process can write. When a user accepts an incoming Zmodem (sz/rz) or Trzsz (trz/tsz) transfer, the attacker-supplied filename is passed unsanitized into path.join() with the chosen download directory, so a name like ../../.bashrc escapes that directory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to malicious SSH server
Delivery
Initiate Zmodem/Trzsz transfer with ../ filename
Exploit
Victim accepts transfer and picks directory
Execution
Unsanitized path.join resolves outside directory
Impact
Write/overwrite arbitrary file as user

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim (1) connect electerm to an attacker-controlled or compromised SSH server or remote shell, (2) that server initiate a Zmodem (sz/rz) or Trzsz (trz/tsz) file transfer, and (3) the victim actively accept the incoming transfer and select a download directory - this user interaction (UI:R) is mandatory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L, base 7.1) is internally consistent with the description: network vector, no privileges, but mandatory user interaction (the victim must accept the transfer and pick a directory), high integrity impact (arbitrary file overwrite) and low availability impact, with no confidentiality loss since this is a write-only primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or has compromised an SSH server waits for a victim to connect with electerm, then initiates a Zmodem or Trzsz push with a crafted filename such as ../../.bashrc or ../escaped.txt. When the victim accepts the transfer and selects any download directory, electerm resolves the traversal and writes the file outside that directory, letting the attacker plant or overwrite a sensitive file (e.g., a shell startup script) within the user's permissions. …
Remediation Upgrade to the electerm release that includes fix commit fde153d677a170c5816368f6586647f3af4ef284 (Upstream fix available as a commit; a specific tagged patched version is not independently confirmed from the provided data - consult the advisory at https://github.com/electerm/electerm/security/advisories/GHSA-38j7-23hf-9mhc for the exact release). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all users and systems running electerm within your environment; consult your software inventory or endpoint management tools to locate installations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49253 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy