Search for vulnerabilities
Vulnerability details: VCID-2t46-umjt-k3em
Vulnerability ID VCID-2t46-umjt-k3em
Aliases CVE-2018-1000136
GHSA-8xwg-wv7v-4vqp
Summary Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it. For the application to be impacted by this vulnerability it must meet all of these conditions - Runs on Electron 1.7, 1.8, or a 2.0.0-beta - Allows execution of arbitrary remote code - Disables Node.js integration - Does not explicitly declare webviewTag: false in its webPreferences - Does not enable the nativeWindowOption option - Does not intercept new-window events and manually override event.newGuest without using the supplied options tag ## Recommendation Update to `electron` version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later. If you are unable to update your Electron version can mitigate the vulnerability with the following code. ```js app.on('web-contents-created', (event, win) => { win.on('new-window', (event, newURL, frameName, disposition, options, additionalFeatures) => { if (!options.webPreferences) options.webPreferences = {}; options.webPreferences.nodeIntegration = false; options.webPreferences.nodeIntegrationInWorker = false; options.webPreferences.webviewTag = false; delete options.webPreferences.preload; }) }) // and *IF* you don't use WebViews at all, // you might also want app.on('web-contents-created', (event, win) => { win.on('will-attach-webview', (event, webPreferences, params) => { event.preventDefault(); }) }) ```
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-20 Improper Input Validation
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-228 Improper Handling of Syntactically Invalid Structure
System Score Found at
cvssv3 8.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000136.json
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.01856 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.02214 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.02214 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
epss 0.02214 https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
cvssv3.1 8.1 https://electronjs.org/blog/webview-fix
generic_textual HIGH https://electronjs.org/blog/webview-fix
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-8xwg-wv7v-4vqp
cvssv3.1 8.1 https://github.com/electron/electron
generic_textual HIGH https://github.com/electron/electron
cvssv3.1 8.1 https://github.com/electron/electron/commit/1a48ee28276e6588dbf4e70e58d78e7bfdc57043
generic_textual HIGH https://github.com/electron/electron/commit/1a48ee28276e6588dbf4e70e58d78e7bfdc57043
cvssv3.1 8.1 https://github.com/electron/electron/pull/12271
generic_textual HIGH https://github.com/electron/electron/pull/12271
cvssv3.1 8.1 https://github.com/electron/electron/pull/12292
generic_textual HIGH https://github.com/electron/electron/pull/12292
cvssv3.1 8.1 https://github.com/electron/electron/pull/12294
generic_textual HIGH https://github.com/electron/electron/pull/12294
cvssv2 6.8 https://nvd.nist.gov/vuln/detail/CVE-2018-1000136
cvssv3 8.1 https://nvd.nist.gov/vuln/detail/CVE-2018-1000136
cvssv3.1 8.1 https://nvd.nist.gov/vuln/detail/CVE-2018-1000136
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2018-1000136
cvssv3.1 8.1 https://www.electronjs.org/blog/webview-fix
generic_textual HIGH https://www.electronjs.org/blog/webview-fix
cvssv3.1 8.1 https://www.npmjs.com/advisories/574
generic_textual HIGH https://www.npmjs.com/advisories/574
cvssv3.1 8.1 https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass
generic_textual HIGH https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000136.json
https://api.first.org/data/v1/epss?cve=CVE-2018-1000136
https://electronjs.org/blog/webview-fix
https://github.com/electron/electron
https://github.com/electron/electron/commit/1a48ee28276e6588dbf4e70e58d78e7bfdc57043
https://github.com/electron/electron/pull/12271
https://github.com/electron/electron/pull/12292
https://github.com/electron/electron/pull/12294
https://nvd.nist.gov/vuln/detail/CVE-2018-1000136
https://www.electronjs.org/blog/webview-fix
https://www.npmjs.com/advisories/574
https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass
1560094 https://bugzilla.redhat.com/show_bug.cgi?id=1560094
cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:2.0.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:2.0.0:beta1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:2.0.0:beta2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:2.0.0:beta3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:2.0.0:beta4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:2.0.0:beta4:*:*:*:*:*:*
CVE-2018-1000136---ELECTRON-NODEINTEGRATION-BYPASS https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/
GHSA-8xwg-wv7v-4vqp https://github.com/advisories/GHSA-8xwg-wv7v-4vqp
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000136.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://electronjs.org/blog/webview-fix
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/commit/1a48ee28276e6588dbf4e70e58d78e7bfdc57043
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/pull/12271
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/pull/12292
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/pull/12294
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1000136
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1000136
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1000136
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.electronjs.org/blog/webview-fix
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.npmjs.com/advisories/574
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.82264
EPSS Score 0.01856
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:56:21.256737+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/03/GHSA-8xwg-wv7v-4vqp/GHSA-8xwg-wv7v-4vqp.json 37.0.0