Command Injection in electerm via Unsafe Shell Execution in Package Installation
electerm's install.js contains a command injection flaw where attacker-controlled version strings are directly concatenated into shell commands without sanitization. Defenders must identify vulnerable installations and verify patching, as remote version metadata compromise could lead to arbitrary code execution during package installation.
CVE References
Affected
Vulnerability Description
The vulnerability exists in npm/install.js:130 where the runLinux() function constructs shell commands using string concatenation with untrusted input. Specifically, remote version strings obtained from the project's update server are directly interpolated into exec("rm -rf ...") commands without input validation, encoding, or parameterization. This is a classic OS Command Injection (CWE-78) vulnerability. An attacker controlling the remote metadata endpoint could inject shell metacharacters (pipes, semicolons, command substitution syntax) to execute arbitrary commands with the privileges of the installing user.
Proof-of-Concept Significance
This PoC demonstrates a supply-chain attack vector with high reliability. The preconditions are: (1) user runs npm install -g electerm on Linux, (2) attacker compromises or intercepts the release metadata server, or (3) attacker performs DNS/BGP hijacking. Once triggered, the vulnerability grants arbitrary command execution during the installation phase—a trust boundary violation. The PoC validates that version metadata is neither whitelisted nor escaped before shell execution, confirming the flaw is exploitable at scale.
Detection Guidance
Log Indicators:
- Monitor
npm installlogs for unusual exit codes or error messages fromrm -rfcommands - Watch for child processes spawned by Node.js with unexpected arguments
- Track network requests from electerm to version-check endpoints; correlate with subsequent process execution
File Integrity:
- Baseline
/usr/lib/node_modules/electerm/npm/install.jsand alert on modifications - Monitor system calls:
execve()invocations from Node.js with shell interpreters should be suspicious during install phases
YARA/IDS Signatures:
- Alert on
exec("rm -rfpatterns in JavaScript files combined with version variable interpolation - Flag unquoted shell command construction with remote-sourced variables in Node.js installation scripts
Mitigation Steps
- Immediate: Users must upgrade electerm to a version ≥ the patched commit
59708b38c8a52f5db59d7d4eff98e31d573128ee(available on npm) - Deployment: Enforce
npm auditin CI/CD pipelines to reject vulnerable versions; usenpm ci --auditin production installations - Code Review: Audit all Node.js scripts in
node_modulesfor similar patterns (unescapedexec(), command concatenation) - Principle: Replace
exec()with parameterized alternatives likeexecFile()with argument arrays; never construct commands via string interpolation - Network: Implement certificate pinning and request signing for package metadata to mitigate server compromise
Risk Assessment
Likelihood: Medium-to-High. Supply-chain attacks on npm packages are actively pursued; the attack surface (metadata endpoint) is remote and potentially lower-security than the main repository. Global installation (npm install -g) is common in developer workflows, maximizing exposure.
Threat Actor Interest: High. RCE at software-build time is a high-value persistence mechanism for advanced threat actors; compromising developer machines via package installation is a documented APT technique (e.g., 3CX breach, Codecov exfiltration).
Real-World Exploitation: Defenders should assume this is already exploited in the wild if electerm is used in air-gapped networks or sensitive development environments. Prioritize patching for development machines and build servers.
Sources