Electerm Command Injection Vulnerability in NPM Install Script

A command injection vulnerability has been identified in Electerm versions prior to 3.3.8. The issue arises in the NPM installation script, where the 'runLinux()' function improperly appends remote version strings, controlled by an attacker, directly into a command executed by 'exec()' to remove files. This lack of validation could allow for arbitrary command execution, manipulation of local files, and potential escalation of access to development or runtime assets.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of commands on the user's system, allowing an attacker to manipulate files and possibly escalate access to sensitive development or runtime resources.

Reproduction

To reproduce this vulnerability, install an affected version of Electerm globally using NPM on a Linux system. The command 'npm install -g electerm' can be used. Once installed, the 'runLinux()' function in the NPM installation script will execute the command injection vulnerability by appending attacker-controlled version strings into a file removal command.

Remediation

Users can upgrade to Electerm version 3.3.8 or later, which has addressed this vulnerability. The latest version can be downloaded from the Electerm GitHub releases page.