Lack of data validation - Path Traversal In electerm
Description
Electerm runWidget has a path traversal that leads to arbitrary code execution
Impact
The runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation:
const file = `widget-${widgetId}.js` const widget = require(path.join(__dirname, file))
Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise.
Patches
Fixed in version >= 3.7.16
Workarounds
Until a patch is released:
Do not install or run untrusted plugins.
Avoid loading arbitrary web content inside electerm’s embedded webview (for example, disable any features that fetch and display remote HTML).
Run electerm in a sandboxed environment (e.g., with bubblewrap on Linux, AppArmor/SELinux profiles, or Windows sandboxed app execution) to limit the impact of any code execution.
Resources
Vulnerability details originally reported by external researcher (PoC confirmed on v3.7.9, Win10).
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | electerm | 3.7.16 |
Aliases
References