The vulnerability resides in the runLinux() function of electerm’s npm/install.js script, where attacker‑controlled remote version strings are directly concatenated into an exec("rm -rf …") command without any validation. This weakness (CWE‑77) allows an attacker to inject arbitrary shell commands that are executed with the privileges of the electerm process, resulting in full compromise of the machine on which electerm runs. The impact spans all layers of the OS: confidentiality, integrity, and availability can all be broken, and the attacker gains persistent remote code execution capability.

Electerm, an open‑source multi‑protocol terminal client, is affected in all releases prior to version 3.3.8. The vendor product name is electerm: electerm. Users of any older electerm version should be aware that the runLinux() function is exposed to unvalidated input. The vulnerability is fixed in electerm v3.3.8 and later.

With a CVSS score of 9.8, the risk level is critical. Although an EPSS score is not provided, the lack of a KEV listing does not diminish the inherent danger posed by a command injection that can be triggered remotely. Inferred from the description, the attack vector requires an attacker to supply a malicious remote version string, likely through a forged update payload or a compromised server that electerm contacts. Once the payload is processed, the attacker can execute any command with the electerm process’s privileges, enabling full system takeover.