GHSA-v5ff-xmfp-p245

Suggest an improvement
Source
https://github.com/advisories/GHSA-v5ff-xmfp-p245
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-v5ff-xmfp-p245/GHSA-v5ff-xmfp-p245.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v5ff-xmfp-p245
Aliases
  • CVE-2026-49255
Published
2026-07-02T19:22:31Z
Modified
2026-07-02T19:30:07.633499433Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
electerm has Command Injection in File System Operations (rmrf, mv, cp)
Details

Impact

A command injection vulnerability exists in electerm's file system operations (rmrf, mv, cp) in src/app/lib/fs.js. These functions construct shell commands by interpolating file paths directly into command strings without escaping shell metacharacters.

Vulnerable functions: - rmrf() - Uses rm -rf "${path}" (double quotes, vulnerable to " injection) - mv() - Uses mv '${from}' '${to}' (single quotes, vulnerable to ' injection) - cp() - Uses cp -r "${from}" "${to}" (double quotes, vulnerable to " injection)

Attack scenario: 1. Attacker controls a malicious SSH/SFTP server 2. Server lists files with shell metacharacters in names (e.g., file"$(touch /tmp/pwned)") 3. Victim connects to the server and performs file operations (remote-to-local transfer, rename on conflict, etc.) 4. The malicious filename is passed to rmrf(), mv(), or cp() without sanitization 5. Shell metacharacters break out of the quoted argument and execute arbitrary commands

Impact includes: - Arbitrary command execution as the electerm desktop user - Data exfiltration, malware installation, or system compromise - Both POSIX (bash) and Windows (PowerShell) platforms are affected

Patches

  • https://github.com/electerm/electerm/commit/aa778818843b9c083bd711cd04644d102fcb5a42

Workarounds

If upgrading is not immediately possible, users can mitigate this vulnerability by: 1. Only connecting to trusted SSH/SFTP servers 2. Avoiding remote-to-local file transfers from untrusted sources 3. Not using the "rename on conflict" option when downloading folders from untrusted servers 4. Manually verifying filenames before performing file operations

Database specific
{
    "github_reviewed_at": "2026-07-02T19:22:31Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "HIGH"
}
References

Affected packages

npm / electerm

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.11.11

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-v5ff-xmfp-p245/GHSA-v5ff-xmfp-p245.json"
last_known_affected_version_range
"<= 3.11.0"