Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-dwqm-hym4-xqa9
Vulnerability ID VCID-dwqm-hym4-xqa9
Aliases CVE-2017-12581
GHSA-7fv9-m79r-j9x8
Summary OS Command Injection Recent Electron versions do not have strict Same Origin Policy (SOP) enforcement. Combining an SOP bypass with a privileged URL internally used by Electron, it was possible to execute native Node.js primitives in order to run OS commands on the user's host.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.01854 https://api.first.org/data/v1/epss?cve=CVE-2017-12581
epss 0.01854 https://api.first.org/data/v1/epss?cve=CVE-2017-12581
epss 0.01854 https://api.first.org/data/v1/epss?cve=CVE-2017-12581
epss 0.01854 https://api.first.org/data/v1/epss?cve=CVE-2017-12581
epss 0.01854 https://api.first.org/data/v1/epss?cve=CVE-2017-12581
epss 0.02336 https://api.first.org/data/v1/epss?cve=CVE-2017-12581
epss 0.02336 https://api.first.org/data/v1/epss?cve=CVE-2017-12581
epss 0.02336 https://api.first.org/data/v1/epss?cve=CVE-2017-12581
epss 0.02336 https://api.first.org/data/v1/epss?cve=CVE-2017-12581
epss 0.02336 https://api.first.org/data/v1/epss?cve=CVE-2017-12581
epss 0.02336 https://api.first.org/data/v1/epss?cve=CVE-2017-12581
epss 0.02336 https://api.first.org/data/v1/epss?cve=CVE-2017-12581
epss 0.02336 https://api.first.org/data/v1/epss?cve=CVE-2017-12581
epss 0.02336 https://api.first.org/data/v1/epss?cve=CVE-2017-12581
cvssv3.1 8.1 https://blog.doyensec.com/2017/08/03/electron-framework-security.html
generic_textual HIGH https://blog.doyensec.com/2017/08/03/electron-framework-security.html
cvssv3.1 8.1 https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf
generic_textual HIGH https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-7fv9-m79r-j9x8
cvssv3.1 8.1 https://github.com/electron/electron
generic_textual HIGH https://github.com/electron/electron
cvssv3.1 8.1 https://github.com/electron/electron/commit/05b6d91bf4c1e0ee65eeef70cd5d1bd1df125644
generic_textual HIGH https://github.com/electron/electron/commit/05b6d91bf4c1e0ee65eeef70cd5d1bd1df125644
cvssv3.1 8.1 https://nvd.nist.gov/vuln/detail/CVE-2017-12581
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2017-12581
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2017-12581
https://blog.doyensec.com/2017/08/03/electron-framework-security.html
https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf
https://github.com/electron/electron
https://github.com/electron/electron/commit/05b6d91bf4c1e0ee65eeef70cd5d1bd1df125644
CVE-2017-12581 https://nvd.nist.gov/vuln/detail/CVE-2017-12581
GHSA-7fv9-m79r-j9x8 https://github.com/advisories/GHSA-7fv9-m79r-j9x8
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://blog.doyensec.com/2017/08/03/electron-framework-security.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/commit/05b6d91bf4c1e0ee65eeef70cd5d1bd1df125644
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2017-12581
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.82949
EPSS Score 0.01854
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:47:17.365737+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2017-12581.yml 38.0.0