CVE-2026-43944 Patch Review: Partial fix for electerm deep-link local code execution

Vulnerability

CVE-2026-43944 describes arbitrary local code execution in electerm before 3.8.15 via crafted electerm:// URIs or CLI flags. The issue is summarized as insecure merging of user-controlled JSON into session configuration, allowing protocol and executable hijacking. The provided patch context shows that quick-connect parsing accepted extra JSON options and merged them into connection/session state without sufficient restriction, while local session execution logic consumed executable-related configuration in a security-sensitive path. This aligns with the CVE and MITRE records that characterize the bug as local code execution triggered by malicious deep links or arguments: MITRE, NVD.

The core weakness is trust boundary failure: untrusted deep-link or CLI input is treated as configuration data and merged into privileged runtime settings. In this design, attacker-controlled keys can influence transport selection, host interpretation, or local executable invocation. Once configuration objects are merged without strict schema enforcement, any downstream code that assumes those fields are trusted becomes an execution primitive.

const OPTS_DENY_LIST = ['type', 'host']
OPTS_DENY_LIST.forEach(key => delete extraOpts[key])

The snippet above from the quick-connect patch indicates that the original parser allowed attacker-supplied opts JSON to override fields derived from the URI itself. That is a direct indicator of unsafe object merging in a parser that handles externally supplied connection descriptors. Source: commit 8a6a179.

Patch

The remediation is split across two commits. First, in both src/app/common/parse-quick-connect.js and src/client/common/parse-quick-connect.js, the patch introduces an OPTS_DENY_LIST containing type and host, then deletes those keys from attacker-controlled extraOpts before merge. This is intended to prevent the JSON payload from overriding protocol and host values parsed from the deep link itself. Source: commit 8a6a179.

Second, in src/app/server/session-local.js, the patch refactors platform detection into isWin and adds a validation check that rejects an exec value containing .. before continuing. This is a narrow hardening step against path traversal-like executable selection on Windows local sessions. The same commit also removes an unused React import in src/client/components/ai/ai-config.jsx, which is unrelated to the vulnerability. Source: commit a79e06f.

const isWin = platform.startsWith('win')
const exec = isWin
if ((exec || '').includes('..')) {
  return Promise.reject(new Error('execWindows should not contain ".."'))
}
const arg = isWin

As shown in the provided digest, the local-session hardening is specifically a substring rejection for ... The patch evidence provided does not show broader normalization, canonicalization, allow-listing, or schema validation around executable fields.

Review

Pros

• The patch directly addresses a documented trust-boundary problem in quick-connect parsing by preventing attacker-controlled opts from overriding at least two critical fields: type and host.
• The fix is applied in both app and client quick-connect parsers, reducing the chance of inconsistent behavior across code paths. Source: commit 8a6a179.
• The local session patch adds explicit validation before using executable-related configuration, which is preferable to relying on downstream command execution behavior. Source: commit a79e06f.
• The changes are low-risk operationally: deleting dangerous override keys and rejecting suspicious exec values should not materially affect legitimate deep-link parsing beyond unsafe cases.

Cons

• The deny-list is very narrow. Only type and host are removed from extraOpts, but the CVE summary describes arbitrary local binary execution via protocol and executable hijacking. Based on the provided snippets, there is no evidence of a comprehensive allow-list or schema for all security-sensitive keys.
• Deny-lists are brittle for configuration merging. If other fields influence local execution, shell selection, protocol handlers, arguments, or session mode, they may remain attacker-controlled unless separately blocked.
• The exec validation shown is limited to rejecting values containing ... That is not equivalent to constraining execution to a safe set of binaries or trusted absolute paths. An attacker may not need path traversal syntax to select an unintended executable.
• The local-session hardening appears Windows-specific in the snippet and does not demonstrate equivalent controls for non-Windows execution paths.
• The patch evidence does not show object schema validation, deep-merge restrictions, or a redesign that separates untrusted deep-link parameters from privileged local-session configuration. Without that, the underlying class of bug may persist in adjacent keys or code paths.

Verdict

Partial fix.

The patch mitigates the reported exploit chain but does not convincingly eliminate the root cause based on the supplied diffs. The quick-connect parser now strips two dangerous override keys, and the local-session code rejects one suspicious exec pattern, but both controls are selective and reactive. For a vulnerability caused by merging untrusted JSON into privileged session configuration, the stronger remediation would be a strict schema or allow-list for externally supplied parameters, plus explicit separation between remote connection metadata and local execution settings. As implemented in the visible changes, the patch reduces attack surface but leaves concern that other configuration keys or execution paths could still be abused.

Recommended follow-up engineering work: replace deny-list merging with typed allow-listed parsing for deep links and CLI flags; prohibit all executable-selection fields from untrusted input; canonicalize and validate executable paths across platforms; and add regression tests covering malicious electerm:// payloads that attempt to override protocol, host, executable, and argument-related fields. References: commit 8a6a179, commit a79e06f, NVD, MITRE.