CVE-2026-43944: Arbitrary Local Code Execution in electerm via Malicious Deep Links

The electerm application operates as a multi-protocol terminal client, providing interfaces for SSH, SFTP, Telnet, RDP, and VNC connections. To facilitate rapid session initiation, the application registers a custom operating system URI handler (electerm://) and processes specific command-line arguments. These interfaces allow external applications, such as web browsers, to pass connection parameters directly to the client.

The vulnerability resides in the parseQuickConnect function, which processes the opts parameter supplied via deep links or CLI flags. The application extracts a JSON string from this parameter and parses it into a JavaScript object without applying schema validation or sanitization routines. This design flaw allows an attacker to supply an arbitrarily complex object structure.

The parsed object is subsequently merged into the primary session configuration object using the Object.assign method. This operation replaces internal configuration properties with the values provided in the untrusted payload. The lack of property filtering permits the modification of critical operational parameters, including the connection protocol and the path to the local executable binary.

By crafting a malicious URI, an attacker forces the application to route the session through the local terminal handler rather than a remote network protocol. The local handler then processes the injected payload and executes the designated binary on the victim's machine. This process operates with the exact privileges of the electerm application, resulting in a full system compromise in the context of the running user.

The fundamental root cause is the improper control of configuration state boundaries, classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The parseQuickConnect function accepts a serialized JSON payload via the opts parameter. The software assumes this payload will only contain non-critical connection attributes, such as hostnames or port definitions.

The vulnerability manifests during the configuration merging phase. The application executes Object.assign(opts, extraOpts) where extraOpts represents the parsed, attacker-controlled JSON structure. This operation recursively overwrites properties in the target opts object with values extracted from the source object. No restrictions exist on which keys can be overwritten during this merge operation.

Attackers abuse this mechanism to manipulate the state machine of the session handler. By injecting the key-value pair "type": "local", the attacker bypasses remote connection initialization routines, such as SSH handshakes. This injection forces the application to route execution flow into the local terminal handler module.

Once the local terminal mode is activated, the application retrieves configuration keys like execWindows, execMac, or execLinux to determine the correct system shell to spawn. Because these specific keys can also be defined within the malicious JSON payload, the application passes the attacker-provided path directly to Node.js child process APIs, executing the payload.

Analysis of the src/app/common/parse-quick-connect.js file demonstrates the exact implementation of the vulnerability. In vulnerable builds, the application parses the optsStr variable directly via JSON.parse() and immediately merges the resulting object into the application state.

The following snippet demonstrates the insecure implementation prior to the application of security patches. The blind merge operation provides the execution primitive.

// Vulnerable implementation
if (optsStr) {
  try {
    const extraOpts = JSON.parse(optsStr) // Untrusted input parsed
    Object.assign(opts, extraOpts)        // Blind merge overwrites state
  } catch (err) {
    console.error('Failed to parse opts:', err)
  }
}

The vendor addressed this specific vector in commit 8a6a17951e96d715f5a231532bbd8303fe208700 by introducing a configuration deny-list. The patch removes specific high-risk keys from the parsed object before merging the configurations.

// Patched implementation (Commit 8a6a17951e96d715f5a231532bbd8303fe208700)
const OPTS_DENY_LIST = ['type', 'host']
// ...
if (optsStr) {
  try {
    const extraOpts = JSON.parse(optsStr)
    OPTS_DENY_LIST.forEach(key => delete extraOpts[key]) // Deny-list filter
    Object.assign(opts, extraOpts)
  } catch (err) { /* ... */ }
}

A supplementary patch (commit a79e06f4a1f0ac6376c3d2411ef4690fa0377742) was applied to src/app/server/session-local.js to mitigate path traversal during executable resolution. This modification explicitly rejects execution paths containing the .. sequence, restricting directory traversal attempts.

Exploitation necessitates the construction of a malicious JSON payload and subsequent delivery to the vulnerable application instance. The payload targets the type parameter and operating system-specific execution variables. The attacker defines the path to the target executable within the payload structure.

The attacker encapsulates this JSON payload within an electerm:// URI. A common attack vector involves social engineering, whereby the attacker tricks a user into interacting with a link formatted specifically for their operating system. An example URI targeting Windows systems is formatted as electerm://quick-connect/attacker.com?opts={"type":"local","execWindows":"C:\\Windows\\System32\\calc.exe"}.

Exploitation can alternatively occur via the command-line interface. If an attacker possesses restricted shell access or the capability to modify application shortcuts, they pass the payload via the --opts flag. The command execution follows an identical vulnerable code path as the URI handler, yielding the same execution result.

The exploitation sequence is mathematically modeled in the execution graph below. The diagram illustrates the complete execution flow from external user input to arbitrary process creation.

The vulnerability yields arbitrary local code execution on the workstation running the electerm client. The injected executable runs with the precise permissions and user context of the electerm application instance. This configuration grants the attacker substantial control over the victim's environment.

Successful exploitation allows an attacker to read, modify, or exfiltrate sensitive files accessible to the active user. This access encompasses stored SSH private keys, environment variables, and credentials maintained by electerm or adjacent applications. The attacker can achieve permanent persistence by modifying startup scripts, executing registry modifications, or dropping secondary payloads.

The CVSS v4.0 base score is calculated at 9.4, denoting Critical severity. The vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H validates the remote delivery vector, minimal attack complexity, and the complete compromise of system confidentiality, integrity, and availability following successful exploitation.

While the vulnerability requires user interaction to trigger the URI handler, the widespread integration of deep links in modern application workflows lowers the attack threshold. Threat actors frequently utilize custom protocol handlers in targeted phishing campaigns to bypass standard email gateway protections and secure web gateways.

The definitive remediation is upgrading the electerm installation to version 3.8.15 or later. This release incorporates the deny-list filter for session configuration keys and implements the path traversal restrictions for local execution targets, effectively disrupting the primary exploit chain.

Enterprises unable to deploy the software patch immediately should unregister the electerm:// protocol handler at the operating system level. This configuration change breaks the remote exploitation vector by preventing web browsers, chat clients, and email applications from passing malicious URIs to the vulnerable application.

The implemented patch relies heavily on a deny-list approach, specifically filtering the type and host keys. Deny-lists represent an inherently fragile security control, as they require developers to enumerate all possible dangerous inputs accurately. Research indicates that other sensitive keys, such as execWindowsArgs, proxyCommand, or privateKeyPath, might remain overridable, potentially allowing indirect execution paths.

Furthermore, the JSON.parse() followed by Object.assign() pattern remains present in the patched code. This design pattern frequently leads to Prototype Pollution if the __proto__ key is not explicitly filtered during object merging. Security engineers should monitor the application repository for subsequent advisories addressing these residual attack surfaces.