GHSA-wxw2-rwmh-vr8f: electerm: electerm_install_script_CommandInjection Vulnerability Report

April 16, 2026

What kind of vulnerability is it? Who is impacted?

Two Command Injection vulnerabilities in electerm:

macOS Installer (electerm_CommandInjection_02): A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation.
Linux Installer (electerm_CommandInjection_01): A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation.

Who is impacted: Users who run npm install -g electerm. An attacker who can control the remote release metadata (version string or release name) served by the project’s update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.

References

Code Behaviors & Features

Detect and mitigate GHSA-wxw2-rwmh-vr8f with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →