Electerm Full Process Environment Exposure Vulnerability

A vulnerability exists in Electerm versions through 3.8.15, where the getConstants() IPC handler serializes the entire process.env object and sends it to the renderer. This data is accessible as window.pre.env, which can be accessed by any JavaScript running in the renderer, such as through the DevTools console or a compromised webview context. An attacker with JavaScript execution in the renderer can easily exfiltrate these secrets to a remote server, potentially leading to cloud account compromise, supply chain attacks, and lateral movement.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive environment variables, which may include secrets like AWS credentials, GitHub tokens, OpenAI API keys, and internal service credentials. This exposure could lead to unauthorized access to cloud accounts, supply chain attacks, and lateral movement within networks.

Remediation

Until a patch is released, it is advised to avoid launching Electerm with sensitive environment variables set. Instead, use shell scripts or a dedicated terminal profile that clears secrets before starting the application. Additionally, avoid installing plugins from untrusted sources and audit any installed plugins for network access. Keep the renderer context as secure as possible by disabling the remote debugging port and not pasting untrusted code into the DevTools console.