Electerm's full process.env exposed to renderer via window.pre.env

Description

The getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context).

Recommendation

No fix is available yet. Followings are affected versions:

• <= 3.8.15

References

• GHSA-37j4-88rp-2f6h
• CVE-2026-43942
• CWE-200
• CWE-312
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A4
• OWASP 2021-A6

Related Issues

• Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery - payload - CVE-2026-34751
• Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
• Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery - CVE-2026-34751
• Astro has Full-Read SSRF in error rendering via Host: header injection - CVE-2026-25545

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

electerm