VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-djd5-4pd8-ffaa

Essentials
Severities (37)
References (26)
Severity details (10)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-djd5-4pd8-ffaa
Aliases	CVE-2023-39956 GHSA-7x97-j373-85x5
Summary	Electron vulnerable to out-of-package code execution when launched with arbitrary cwd ### Impact Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as `myapp --help` Specifically this issue can only be exploited if the following conditions are met: * Your app is launched with an attacker-controlled working directory * The attacker has the ability to write files to that working directory This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude [Physically Local Attacks](https://github.com/electron/electron/security/advisories/GHSA-7x97-j373-85x5#:~:text=Physically%20Local%20Attacks) but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `26.0.0-beta.13` * `25.5.0` * `24.7.1` * `23.3.13` * `22.3.19` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-94	Improper Control of Generation of Code ('Code Injection')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2023-39956
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-7x97-j373-85x5
cvssv3.1	6.1	https://github.com/electron/electron
generic_textual	MODERATE	https://github.com/electron/electron
cvssv3.1	6.1	https://github.com/electron/electron/security/advisories/GHSA-7x97-j373-85x5
cvssv3.1_qr	MODERATE	https://github.com/electron/electron/security/advisories/GHSA-7x97-j373-85x5
generic_textual	MODERATE	https://github.com/electron/electron/security/advisories/GHSA-7x97-j373-85x5
ssvc	Track	https://github.com/electron/electron/security/advisories/GHSA-7x97-j373-85x5
cvssv3.1	6.1	https://nvd.nist.gov/vuln/detail/CVE-2023-39956
cvssv3.1	6.6	https://nvd.nist.gov/vuln/detail/CVE-2023-39956
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-39956

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron/security/advisories/GHSA-7x97-j373-85x5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T14:44:20Z/ Found at https://github.com/electron/electron/security/advisories/GHSA-7x97-j373-85x5

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-39956

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-39956

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.03829
EPSS Score	0.0002
Published At	Aug. 1, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:41:35.615327+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-7x97-j373-85x5/GHSA-7x97-j373-85x5.json	37.0.0