Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Electerm Installer Command Injection on macOS and Linux
GHSA-wxw2-rwmh-vr8f
Summary
Users who install Electerm globally with npm are at risk of arbitrary command execution and file tampering. An attacker can exploit this vulnerability by controlling the Electerm update server to run malicious commands. No action is required as the issue has been patched in the latest version.
What to do
- Update zxdong262 electerm to version 3.3.8.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | zxdong262 | electerm |
< 3.3.8 Fix: upgrade to 3.3.8
|
Original title
electerm: electerm_install_script_CommandInjection Vulnerability Report
Original description
### Impact
_What kind of vulnerability is it? Who is impacted?_
**Two Command Injection vulnerabilities in electerm:**
1. **macOS Installer** (`electerm_CommandInjection_02`): A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:150`. The `runMac()` function appends attacker-controlled remote `releaseInfo.name` directly into an `exec("open ...")` command without validation.
2. **Linux Installer** (`electerm_CommandInjection_01`): A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:130`. The `runLinux()` function appends attacker-controlled remote version strings directly into an `exec("rm -rf ...")` command without validation.
**Who is impacted:** Users who run `npm install -g electerm`. An attacker who can control the remote release metadata (version string or release name) served by the project's update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.
---
### Patches
_Has the problem been patched? What versions should users upgrade to?_
Fixed in [59708b38c8a52f5db59d7d4eff98e31d573128ee](https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee), user no need to upgrade, the new version already published in npm
---
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
no
_What kind of vulnerability is it? Who is impacted?_
**Two Command Injection vulnerabilities in electerm:**
1. **macOS Installer** (`electerm_CommandInjection_02`): A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:150`. The `runMac()` function appends attacker-controlled remote `releaseInfo.name` directly into an `exec("open ...")` command without validation.
2. **Linux Installer** (`electerm_CommandInjection_01`): A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:130`. The `runLinux()` function appends attacker-controlled remote version strings directly into an `exec("rm -rf ...")` command without validation.
**Who is impacted:** Users who run `npm install -g electerm`. An attacker who can control the remote release metadata (version string or release name) served by the project's update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.
---
### Patches
_Has the problem been patched? What versions should users upgrade to?_
Fixed in [59708b38c8a52f5db59d7d4eff98e31d573128ee](https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee), user no need to upgrade, the new version already published in npm
---
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
no
osv CVSS3.1
9.8
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026