PT-2026-55451 · Npm · Electerm
Publicado
2026-07-02
·
Atualizado
2026-07-02
·
CVE-2026-49255
CVSS v3.1
8.8
Alta
| Vetor | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Impact
A command injection vulnerability exists in electerm's file system operations (
rmrf, mv, cp) in src/app/lib/fs.js. These functions construct shell commands by interpolating file paths directly into command strings without escaping shell metacharacters.Vulnerable functions:
rmrf()- Usesrm -rf "${path}"(double quotes, vulnerable to"injection)mv()- Usesmv '${from}' '${to}'(single quotes, vulnerable to'injection)cp()- Usescp -r "${from}" "${to}"(double quotes, vulnerable to"injection)
Attack scenario:
- Attacker controls a malicious SSH/SFTP server
- Server lists files with shell metacharacters in names (e.g.,
file"$(touch /tmp/pwned)") - Victim connects to the server and performs file operations (remote-to-local transfer, rename on conflict, etc.)
- The malicious filename is passed to
rmrf(),mv(), orcp()without sanitization - Shell metacharacters break out of the quoted argument and execute arbitrary commands
Impact includes:
- Arbitrary command execution as the electerm desktop user
- Data exfiltration, malware installation, or system compromise
- Both POSIX (bash) and Windows (PowerShell) platforms are affected
Patches
Workarounds
If upgrading is not immediately possible, users can mitigate this vulnerability by:
- Only connecting to trusted SSH/SFTP servers
- Avoiding remote-to-local file transfers from untrusted sources
- Not using the "rename on conflict" option when downloading folders from untrusted servers
- Manually verifying filenames before performing file operations
Correção
OS Command Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Electerm