Search for vulnerabilities
Vulnerability details: VCID-3t8s-sdcz-aaab
Vulnerability ID VCID-3t8s-sdcz-aaab
Aliases CVE-2023-39956
GHSA-7x97-j373-85x5
Summary Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. Specifically this issue can only be exploited if the following conditions are met: 1. The app is launched with an attacker-controlled working directory and 2. The attacker has the ability to write files to that working directory. This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. This issue has been fixed in versions:`26.0.0-beta.13`, `25.4.1`, `24.7.1`, `23.3.13`, and `22.3.19`. There are no app side workarounds, users must update to a patched version of Electron.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss 0.00306 https://api.first.org/data/v1/epss?cve=CVE-2023-39956
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-7x97-j373-85x5
cvssv3.1 8.8 https://github.com/electron/electron
generic_textual HIGH https://github.com/electron/electron
cvssv3.1 6.1 https://github.com/electron/electron/security/advisories/GHSA-7x97-j373-85x5
cvssv3.1_qr MODERATE https://github.com/electron/electron/security/advisories/GHSA-7x97-j373-85x5
generic_textual MODERATE https://github.com/electron/electron/security/advisories/GHSA-7x97-j373-85x5
cvssv3 6.6 https://nvd.nist.gov/vuln/detail/CVE-2023-39956
cvssv3.1 6.6 https://nvd.nist.gov/vuln/detail/CVE-2023-39956
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-39956
https://github.com/electron/electron
https://github.com/electron/electron/security/advisories/GHSA-7x97-j373-85x5
cpe:2.3:a:electronjs:electron:26.0.0:alpha1:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:alpha2:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:alpha3:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:alpha4:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:alpha5:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:alpha6:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:alpha7:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:alpha8:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:beta10:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:beta10:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:beta11:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:beta11:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:beta12:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:beta12:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:beta1:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:beta2:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:beta3:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:beta4:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:beta5:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:beta6:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:beta7:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:beta7:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:beta8:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:beta8:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:26.0.0:beta9:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:26.0.0:beta9:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
CVE-2023-39956 https://nvd.nist.gov/vuln/detail/CVE-2023-39956
GHSA-7x97-j373-85x5 https://github.com/advisories/GHSA-7x97-j373-85x5
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron/security/advisories/GHSA-7x97-j373-85x5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-39956
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-39956
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.0396
EPSS Score 0.0002
Published At May 1, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.