Search for packages
| purl | pkg:npm/electron@2.0.17 |
| Next non-vulnerable version | 35.7.5 |
| Latest non-vulnerable version | 42.0.0-alpha.5 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1x44-uf31-1ydv
Aliases: CVE-2020-26272 GHSA-hvf8-h2qh-37m9 |
IPC messages delivered to the wrong frame in Electron ### Impact IPC messages sent from the main process to a subframe in the renderer process, through `webContents.sendToFrame`, `event.reply` or when using the `remote` module, can in some cases be delivered to the wrong frame. If your app does ANY of the following, then it is impacted by this issue: - Uses `remote` - Calls `webContents.sendToFrame` - Calls `event.reply` in an IPC message handler ### Patches This has been fixed in the following versions: - 9.4.0 - 10.2.0 - 11.1.0 - 12.0.0-beta.9 ### Workarounds There are no workarounds for this issue. ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org). |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-7eu1-94qk-nuar
Aliases: CVE-2023-44402 GHSA-7m48-wc93-9g85 |
ASAR Integrity bypass via filetype confusion in electron This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-a795-r67e-p3ck
Aliases: CVE-2023-29198 GHSA-p7v2-p9m8-qqg7 |
Improper Check for Unusual or Exceptional Conditions Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps using `contextIsolation` and `contextBridge` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. This issue is only exploitable if an API exposed to the main world via `contextBridge` can return an object or array that contains a javascript object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown `Error: object could not be cloned`. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported. This issue has been fixed in versions `25.0.0-alpha.2`, `24.0.1`, `23.2.3`, and `22.3.6`. |
Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-a84t-cjcb-tqcw
Aliases: CVE-2022-36077 GHSA-p2jh-44qj-pf2v |
Exfiltration of hashed SMB credentials on Windows via file:// redirect ### Impact When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as `file://some.website.com/`, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials. ### Patches This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes: - 21.0.0-beta.1 - 20.0.1 - 19.0.11 - 18.3.7 We recommend all apps upgrade to the latest stable version of Electron. ### Workarounds If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the `WebContents.on('will-redirect')` event, for all WebContents: ```js app.on('web-contents-created', (e, webContents) => { webContents.on('will-redirect', (e, url) => { if (/^file:/.test(url)) e.preventDefault() }) }) ``` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org). ### Credit Thanks to user @coolcoolnoworries for reporting this issue. |
Affected by 6 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-f81v-9fv8-93cd
Aliases: CVE-2023-5217 GHSA-qqvq-6xgj-jw8g |
Out-of-bounds Write Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
Affected by 2 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-fahk-eg3e-x7cu
Aliases: CVE-2020-15096 GHSA-6vrv-94jv-crrg |
Context isolation bypass via Promise in Electron ### Impact Apps using `contextIsolation` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. ### Workarounds There are no app-side workarounds, you must update your Electron version to be protected. ### Fixed Versions * `9.0.0-beta.21` * `8.2.4` * `7.2.4` * `6.1.11` ### For more information If you have any questions or comments about this advisory: * Email us at [security@electronjs.org](mailto:security@electronjs.org) |
Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-j7d6-zp3s-67fq
Aliases: CVE-2024-46993 GHSA-6r2x-8pq8-9489 |
Electron vulnerable to Heap Buffer Overflow in NativeImage ### Impact The `nativeImage.createFromPath()` and `nativeImage.createFromBuffer()` functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. ### Workaround There are no app-side workarounds for this issue. You must update your Electron version to be protected. ### Patches - `v28.3.2` - `v29.3.3` - `v30.0.3` ### For More Information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org). |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. |
|
VCID-nx5d-r4jc-77df
Aliases: CVE-2022-29247 GHSA-mq8j-3h7h-p8g7 |
Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled ### Impact This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with `nodeIntegrationInSubFrames` enabled which in turn allows effective access to `ipcRenderer`. Please note the misleadingly named `nodeIntegrationInSubFrames` option does not implicitly grant Node.js access rather it depends on the existing `sandbox` setting. If your application is sandboxed then `nodeIntegrationInSubFrames` just gives access to the sandboxed renderer APIs (which includes `ipcRenderer`). If your application then additionally exposes IPC messages without IPC `senderFrame` validation that perform privileged actions or return confidential data this access to `ipcRenderer` can in turn compromise your application / user even with the sandbox enabled. ### Patches This has been patched and the following Electron versions contain the fix: * `18.0.0-beta.6` * `17.2.0` * `16.2.6` * `15.5.5` ### Workarounds Ensure that all IPC message handlers appropriately validate `senderFrame` as per our [security tutorial here](https://github.com/electron/electron/blob/main/docs/tutorial/security.md#17-validate-the-sender-of-all-ipc-messages). ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org). |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-p167-yf3n-6qd5
Aliases: CVE-2022-29257 GHSA-77xc-hjv8-ww97 |
AutoUpdater module fails to validate certain nested components of the bundle ### Impact This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components. Please note that this kind of attack would require **significant** privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security. ### Patches This has been patched and the following Electron versions contain the fix: * `18.0.0-beta.6` * `17.2.0` * `16.2.0` * `15.5.0` ### Workarounds There are no workarounds for this issue, please update to a patched version of Electron. ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org) |
Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-qd52-rbd7-qkbn
Aliases: CVE-2025-55305 GHSA-vmqv-hx8q-j7mg |
Electron has ASAR Integrity Bypass via resource modification ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `38.0.0-beta.6` * `37.3.1` * `36.8.1` * `35.7.5` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-w7f7-5frp-n3br
Aliases: CVE-2023-39956 GHSA-7x97-j373-85x5 |
Improper Control of Generation of Code ('Code Injection') Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. Specifically this issue can only be exploited if the following conditions are met: 1. The app is launched with an attacker-controlled working directory and 2. The attacker has the ability to write files to that working directory. This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. This issue has been fixed in versions:`26.0.0-beta.13`, `25.4.1`, `24.7.1`, `23.3.13`, and `22.3.19`. There are no app side workarounds, users must update to a patched version of Electron. |
Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-xys1-xe1s-jqha
Aliases: CVE-2022-21718 GHSA-3p22-ghq8-v749 |
Exposure of Resource to Wrong Sphere Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue. |
Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||