Electerm's full process.env exposed to renderer via window.pre.env

Description

The getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context).

Recommendation

No fix is available yet. Followings are affected versions:

• <= 3.8.15

References

• GHSA-37j4-88rp-2f6h
• CVE-2026-43942
• CWE-200
• CWE-312
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A4
• OWASP 2021-A6

Related Issues

• electerm has Command Injection via runLinux funtion - CVE-2026-41501
• Prometheus exporter process crash via malformed HTTP request - @opentelemetry/sdk-node - CVE-2026-44902
• Prometheus exporter process crash via malformed HTTP request - @opentelemetry/exporter-prometheus - CVE-2026-44902
• Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor - CVE-2026-43943

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

electerm