CVE-2026-49255HIGHCVSS 8.8

electerm has Command Injection in File System Operations (rmrf, mv, cp)

Published Jul 2, 2026·Updated Jul 2, 2026

Description

### Impact A command injection vulnerability exists in electerm's file system operations (`rmrf`, `mv`, `cp`) in `src/app/lib/fs.js`. These functions construct shell commands by interpolating file paths directly into command strings without escaping shell metacharacters. **Vulnerable functions:** - `rmrf()` - Uses `rm -rf "${path}"` (double quotes, vulnerable to `"` injection) - `mv()` - Uses `mv '${from}' '${to}'` (single quotes, vulnerable to `'` injection) - `cp()` - Uses `cp -r "${from}" "${to}"` (double quotes, vulnerable to `"` injection) **Attack scenario:** 1. Attacker controls a malicious SSH/SFTP server 2. Server lists files with shell metacharacters in names (e.g., `file"$(touch /tmp/pwned)"`) 3. Victim connects to the server and performs file operations (remote-to-local transfer, rename on conflict, etc.) 4. The malicious filename is passed to `rmrf()`, `mv()`, or `cp()` without sanitization 5. Shell metacharacters break out of the quoted argument and execute arbitrary commands **Impact includes:** - Arbitrary command execution as the electerm desktop user - Data exfiltration, malware installation, or system compromise - Both POSIX (bash) and Windows (PowerShell) platforms are affected ### Patches - https://github.com/electerm/electerm/commit/aa778818843b9c083bd711cd04644d102fcb5a42 ### Workarounds If upgrading is not immediately possible, users can mitigate this vulnerability by: 1. Only connecting to trusted SSH/SFTP servers 2. Avoiding remote-to-local file transfers from untrusted sources 3. Not using the "rename on conflict" option when downloading folders from untrusted servers 4. Manually verifying filenames before performing file operations

Affected Packages (1)

electermNPM
Fixed in = 3.11.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free