Search for packages
| purl | pkg:npm/electron@17.4.5 |
| Next non-vulnerable version | 28.3.2 |
| Latest non-vulnerable version | 38.0.0-beta.6 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2zn4-vrk9-1qhv
Aliases: CVE-2024-46993 GHSA-6r2x-8pq8-9489 |
Electron vulnerable to Heap Buffer Overflow in NativeImage ### Impact The `nativeImage.createFromPath()` and `nativeImage.createFromBuffer()` functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. ### Workaround There are no app-side workarounds for this issue. You must update your Electron version to be protected. ### Patches - `v28.3.2` - `v29.3.3` - `v30.0.3` ### For More Information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org). |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-9e16-vwtt-fygg
Aliases: CVE-2023-29198 GHSA-p7v2-p9m8-qqg7 |
Electron context isolation bypass via nested unserializable return value ### Impact Apps using `contextIsolation` and `contextBridge` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. ### Workarounds This issue is exploitable under either of two conditions: * If an API exposed to the main world via `contextBridge` can return an object or array that contains a JS object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown `Error: object could not be cloned`. * If an API exposed to the main world via `contextBridge` has a return value that throws a user-generated exception while being sent over the bridge, for instance a dynamic getter property on an object that throws an error when being computed. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are [supported](https://www.electronjs.org/docs/latest/api/context-bridge#parameter--error--return-type-support) and that any objects returned from functions do not have dynamic getters that can throw exceptions. Auditing your exposed API is likely to be quite difficult so we strongly recommend you update to a patched version of Electron. ### Fixed Versions * `25.0.0-alpha.2` * `24.0.1` * `23.2.3` * `22.3.6` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org) |
Affected by 5 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-djd5-4pd8-ffaa
Aliases: CVE-2023-39956 GHSA-7x97-j373-85x5 |
Electron vulnerable to out-of-package code execution when launched with arbitrary cwd ### Impact Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as `myapp --help` Specifically this issue can only be exploited if the following conditions are met: * Your app is launched with an attacker-controlled working directory * The attacker has the ability to write files to that working directory This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude [Physically Local Attacks](https://github.com/electron/electron/security/advisories/GHSA-7x97-j373-85x5#:~:text=Physically%20Local%20Attacks) but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `26.0.0-beta.13` * `25.5.0` * `24.7.1` * `23.3.13` * `22.3.19` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org) |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-mhcg-99p6-rqd4
Aliases: CVE-2023-44402 GHSA-7m48-wc93-9g85 |
ASAR Integrity bypass via filetype confusion in electron ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `27.0.0-alpha.7` * `26.2.1` * `25.8.1` * `24.8.3` * `22.3.24` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org) |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-qq4y-61vn-pfdq
Aliases: CVE-2023-5217 GHSA-qqvq-6xgj-jw8g |
Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild. |
Affected by 1 other vulnerability. Affected by 5 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-vmzw-bf7n-sqbb
Aliases: CVE-2022-36077 GHSA-p2jh-44qj-pf2v |
Exfiltration of hashed SMB credentials on Windows via file:// redirect ### Impact When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as `file://some.website.com/`, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials. ### Patches This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes: - 21.0.0-beta.1 - 20.0.1 - 19.0.11 - 18.3.7 We recommend all apps upgrade to the latest stable version of Electron. ### Workarounds If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the `WebContents.on('will-redirect')` event, for all WebContents: ```js app.on('web-contents-created', (e, webContents) => { webContents.on('will-redirect', (e, url) => { if (/^file:/.test(url)) e.preventDefault() }) }) ``` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org). ### Credit Thanks to user @coolcoolnoworries for reporting this issue. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||