Description
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, the getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context). An attacker who achieves any JavaScript execution within the renderer can trivially exfiltrate these secrets to a remote server, leading to cloud account compromise, supply chain attacks, and lateral movement. At time of publication, there are no publicly available patches.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In electerm 3.8.15 and earlier, the IPC handler serializes the entire process.env object and sends it to the renderer, where it is stored as window.pre.env. Any JavaScript execution in the renderer can read this object, allowing an attacker to exfiltrate sensitive data such as cloud credentials. This disclosure can lead to account compromise, supply chain attacks, and lateral movement. The flaw is a classic Information Disclosure vulnerability under CWE‑200 and a credential compromise under CWE‑312.

Affected Systems

The affected product is electerm 3.8.15 and all prior releases. Users running these versions of the open‑source terminal and SSH client are at risk.

Risk and Exploitability

The CVSS score is 5.5, indicating medium severity. No EPSS value is available, so the likelihood of exploitation is not quantified. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires any JavaScript execution within the renderer, which can be achieved via compromised webview contexts or local exploitation of the renderer process.

Generated by OpenCVE AI on May 8, 2026 at 05:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update electerm to the latest version once a fix is released.
  • If an update is not available, modify or disable the IPC getConstants() handler so that process.env is not serialized to the renderer.
  • Restrict renderer JavaScript execution by enabling context isolation, disabling devtools and remote debugging, and limiting webview permissions.

Generated by OpenCVE AI on May 8, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, the getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context). An attacker who achieves any JavaScript execution within the renderer can trivially exfiltrate these secrets to a remote server, leading to cloud account compromise, supply chain attacks, and lateral movement. At time of publication, there are no publicly available patches.
Title electerm: Full process.env exposed to renderer via window.pre.env in electerm
Weaknesses CWE-200
CWE-312
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T03:03:54.752Z

Reserved: 2026-05-04T16:59:09.090Z

Link: CVE-2026-43942

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:23.640

Modified: 2026-05-08T04:16:23.640

Link: CVE-2026-43942

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses