CVE-2026-43942

Name of the Vulnerable Software and Affected Versions electerm versions 3.x and earlier

Description The getConstants() IPC handler in src/app/lib/ipc-sync.js serializes the entire process.env object and sends it to the renderer, where it is stored as window.pre.env. This data is accessible to any JavaScript running in the renderer, such as through the DevTools console or a compromised webview context. An attacker with JavaScript execution capabilities in the renderer—potentially via malicious plugins, cross-site scripting (XSS), or terminal hyperlink execution—can exfiltrate sensitive environment variables. These may include AWS SECRET ACCESS KEY, AWS SESSION TOKEN, GITHUB TOKEN, NPM TOKEN, OPENAI API KEY, DOCKER AUTH, and other internal service credentials or database URLs, potentially leading to cloud account compromise, supply chain attacks, and lateral movement.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Avoid launching electerm with sensitive environment variables set by using shell scripts or dedicated terminal profiles to clear secrets before starting the application. Do not install plugins from untrusted sources and audit installed plugins for network access. Disable the remote debugging port and avoid pasting untrusted code into the DevTools console to lock down the renderer context.