← Back
CVE-2026-41500
critical
CVSS 9.8
Command Injection in electerm-project (CVE-2026-41500)
Summary
command injection in electerm-project (CVE-2026-41500). Successful exploitation can lead to full system takeover. Exploitable via ``releaseInfo.name``. Mitigation: upgrade to `> 3.2.0` or later.
AI summary openai / gpt-4o
A vulnerability in the electerm terminal client allows malicious actors to inject harmful commands into computers, particularly impacting Mac OS users installing via npm. This could lead to partial system takeover. The issue has been patched in the latest version 3.3.8, and users should update immediately.
The vulnerability in electerm involves a command injection in the `runMac()` function of `github.com/elcterm/electerm/npm/install.js:150`. Here, the attacker-controlled `releaseInfo.name` is inserted into an `exec("open ...")` command without proper validation. Affected versions are <=3.2.0, patched in 3.3.8. There are no workarounds; it is critical to update via `npm install -g electerm`. Detection is challenging, thus continuous monitoring of applied system logs is advised.
❓ What is the problem
Command injection vulnerability in electerm's runMac() function.
📍 Affected scope
github.com/elcterm/electerm/npm/install.js:150.
🔥 Severity
Critical severity (CVSS v3: 9.8, remote exploitation without authentication).
🔧 How to fix
Update to electerm version 3.3.8 via npm.
🛡️ Workaround
No workaround available.
🔍 Detection
Monitoring system logs for unusual entries post-update.
Related past incidents Similar incidents extracted from past CVEs
A similar sudo privilege escalation vulnerability affecting OS systems without proper input validation.
Shellshock bug, another shell command injection vulnerability resulting from improper input handling.
Widely exploited vulnerability in Log4j for logging untrusted data, parallel to electerm's fault.
If this happens at your company Expected impact per business scenario
📌 Development environments using electerm for remote connections.
Unauthorized command execution could compromise sensitive source code and configuration files.
📌 Systems administrators managing servers over SSH via electerm.
Attackers may execute arbitrary commands, leading to potential server compromise.
📌 Organizations using electerm for telnet/sftp operations on Mac OS.
Unauthorized access and command execution could disrupt operations and lead to data integrity issues.
Recommended action
Promptly update electerm to version 3.3.8 and monitor systems for anomalies.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'electerm-project' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `electerm-project` を grep し、稼働しているサービス・バージョンを把握する。
-
2Match against affected range verify
Confirm if version satisfies `<=3.2.0`Step 1 で見つかったバージョンが影響範囲 `<=3.2.0` に該当するか照合。本番で稼働中ならインシデント扱い。
-
6Apply patch patch
Upgrade electerm-project to > 3.2.0ステージング環境で > 3.2.0 に上げて回帰テスト → 本番反映。回帰テストはアプリの主要ハッピーパスと、Step 3 で見つけた異常検知の続報チェックを含めること。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。
References
- patch [email protected]
- patch [email protected]
- web [email protected]