macOS & Linux, Command Injection, GHSA-wxw2-rwmh-vr8f (Critical)

Listen to this Post

How the Mentioned CVE Works

Two command injection flaws exist in the `npm/install.js` script of the electerm terminal emulator. The first, electerm_CommandInjection_01, resides in the `runLinux()` function at line 130. This function constructs a system command to delete old installation files using `exec(“rm -rf …”)` but unsafely incorporates an attacker-controlled remote version string directly into the command without any validation or sanitization. An attacker who can poison the remote release metadata served by the project’s update server could inject arbitrary shell metacharacters (such as ;, &&, or |) into the version string. When a user runs npm install -g electerm, the malicious payload would be executed with the privileges of the user performing the installation, leading to remote code execution.
The second vulnerability, electerm_CommandInjection_02, is found in the `runMac()` function at line 150. It similarly constructs an `exec(“open …”)` command but appends the attacker-controlled `releaseInfo.name` field from the remote update server directly into the command string. By injecting malicious shell commands into the release name, an attacker can force the macOS installer to execute arbitrary code during the update process. Both vulnerabilities allow an attacker to gain full control over the affected system, tamper with local files, and potentially pivot to other internal assets.

DailyCVE Form

Platform: macOS & Linux
Version: npm/electerm < 3.3.8
Vulnerability: Command Injection
Severity: Critical
Date: April 16, 2026

Prediction: Patch available Mar 14, 2026

What Undercode Say

Check your current electerm version
npm list -g electerm --depth=0
Simulate malicious version string (for educational purposes)
Attacker-controlled remote metadata could contain:
version="1.0.0; touch /tmp/pwned"
The vulnerable runLinux() function would execute:
exec("rm -rf /tmp/electerm_" + version)
Resulting in: rm -rf /tmp/electerm_1.0.0; touch /tmp/pwned
Update to the patched version (3.3.8 or later)
npm install -g electerm@latest
Verify the fixed version
npm list -g electerm --depth=0 | grep "[email protected]"

Exploit

To exploit this vulnerability, an attacker must compromise the remote update server or perform a man-in-the-middle (MITM) attack to modify the `version` or `releaseInfo.name` fields in the metadata response. By injecting shell metacharacters (e.g., ;, &&, |, `) followed by arbitrary commands, the attacker can achieve remote code execution on the victim’s machine during the `npm install -g electerm` process.

Protection from this CVE

  • Immediately upgrade to electerm version 3.3.8 or later.
  • If upgrading is not possible, avoid running `npm install -g electerm` until the patch is applied.
  • Use a package lock file and verify the integrity of the downloaded package.
  • Monitor network traffic for signs of MITM attacks on the update server.
  • Consider using a local npm mirror with trusted, validated packages.

Impact

  • Remote Code Execution (RCE): An attacker can execute arbitrary system commands on the victim’s machine.
  • File Tampering: The attacker can delete, modify, or create files (e.g., via the `rm -rf` command in the Linux installer).
  • Privilege Escalation: The commands run with the user’s privileges, potentially allowing further compromise of development or runtime assets.
  • Supply Chain Attack: The vulnerability can be leveraged to distribute malware through the legitimate update mechanism.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top