VDB
EN
HIGH 8.8

GHSA-v5ff-xmfp-p245

electerm has Command Injection in File System Operations (rmrf, mv, cp)

상세

### Impact

A command injection vulnerability exists in electerm's file system operations (`rmrf`, `mv`, `cp`) in `src/app/lib/fs.js`. These functions construct shell commands by interpolating file paths directly into command strings without escaping shell metacharacters.

**Vulnerable functions:** - `rmrf()` - Uses `rm -rf "${path}"` (double quotes, vulnerable to `"` injection) - `mv()` - Uses `mv '${from}' '${to}'` (single quotes, vulnerable to `'` injection) - `cp()` - Uses `cp -r "${from}" "${to}"` (double quotes, vulnerable to `"` injection)

**Attack scenario:** 1. Attacker controls a malicious SSH/SFTP server 2. Server lists files with shell metacharacters in names (e.g., `file"$(touch /tmp/pwned)"`) 3. Victim connects to the server and performs file operations (remote-to-local transfer, rename on conflict, etc.) 4. The malicious filename is passed to `rmrf()`, `mv()`, or `cp()` without sanitization 5. Shell metacharacters break out of the quoted argument and execute arbitrary commands

**Impact includes:** - Arbitrary command execution as the electerm desktop user - Data exfiltration, malware installation, or system compromise - Both POSIX (bash) and Windows (PowerShell) platforms are affected

### Patches

- https://github.com/electerm/electerm/commit/aa778818843b9c083bd711cd04644d102fcb5a42

### Workarounds

If upgrading is not immediately possible, users can mitigate this vulnerability by: 1. Only connecting to trusted SSH/SFTP servers 2. Avoiding remote-to-local file transfers from untrusted sources 3. Not using the "rename on conflict" option when downloading folders from untrusted servers 4. Manually verifying filenames before performing file operations

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / electerm
최초 영향 버전: 0 수정 버전: 3.11.11
수정 npm install electerm@3.11.11

참고