Impact
A command injection vulnerability exists in electerm's file system operations (rmrf, mv, cp) in src/app/lib/fs.js. These functions construct shell commands by interpolating file paths directly into command strings without escaping shell metacharacters.
Vulnerable functions:
rmrf() - Uses rm -rf "${path}" (double quotes, vulnerable to " injection)
mv() - Uses mv '${from}' '${to}' (single quotes, vulnerable to ' injection)
cp() - Uses cp -r "${from}" "${to}" (double quotes, vulnerable to " injection)
Attack scenario:
- Attacker controls a malicious SSH/SFTP server
- Server lists files with shell metacharacters in names (e.g.,
file"$(touch /tmp/pwned)")
- Victim connects to the server and performs file operations (remote-to-local transfer, rename on conflict, etc.)
- The malicious filename is passed to
rmrf(), mv(), or cp() without sanitization
- Shell metacharacters break out of the quoted argument and execute arbitrary commands
Impact includes:
- Arbitrary command execution as the electerm desktop user
- Data exfiltration, malware installation, or system compromise
- Both POSIX (bash) and Windows (PowerShell) platforms are affected
Patches
Workarounds
If upgrading is not immediately possible, users can mitigate this vulnerability by:
- Only connecting to trusted SSH/SFTP servers
- Avoiding remote-to-local file transfers from untrusted sources
- Not using the "rename on conflict" option when downloading folders from untrusted servers
- Manually verifying filenames before performing file operations
References
Impact
A command injection vulnerability exists in electerm's file system operations (
rmrf,mv,cp) insrc/app/lib/fs.js. These functions construct shell commands by interpolating file paths directly into command strings without escaping shell metacharacters.Vulnerable functions:
rmrf()- Usesrm -rf "${path}"(double quotes, vulnerable to"injection)mv()- Usesmv '${from}' '${to}'(single quotes, vulnerable to'injection)cp()- Usescp -r "${from}" "${to}"(double quotes, vulnerable to"injection)Attack scenario:
file"$(touch /tmp/pwned)")rmrf(),mv(), orcp()without sanitizationImpact includes:
Patches
Workarounds
If upgrading is not immediately possible, users can mitigate this vulnerability by:
References