Search for vulnerabilities
Vulnerability details: VCID-nyb5-rxp9-xfdj
Vulnerability ID VCID-nyb5-rxp9-xfdj
Aliases CVE-2020-15174
GHSA-2q4g-w47c-4674
Summary Unpreventable top-level navigation ### Impact The `will-navigate` event that apps use to prevent navigations to unexpected destinations [as per our security recommendations](https://www.electronjs.org/docs/tutorial/security) can be bypassed when a sub-frame performs a top-frame navigation across sites. ### Patches * `11.0.0-beta.1` * `10.0.1` * `9.3.0` * `8.5.1` ### Workarounds Sandbox all your iframes using the [`sandbox` attribute](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox). This will prevent them creating top-frame navigations and is good practice anyway. ### For more information If you have any questions or comments about this advisory: * Email us at security@electronjs.org
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-20 Improper Input Validation
CWE-693 Protection Mechanism Failure
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
epss 0.00189 https://api.first.org/data/v1/epss?cve=CVE-2020-15174
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-2q4g-w47c-4674
cvssv3.1 7.5 https://github.com/electron/electron
generic_textual HIGH https://github.com/electron/electron
cvssv3.1 7.5 https://github.com/electron/electron/commit/18613925610ba319da7f497b6deed85ad712c59b
generic_textual HIGH https://github.com/electron/electron/commit/18613925610ba319da7f497b6deed85ad712c59b
cvssv3.1 7.5 https://github.com/electron/electron/security/advisories/GHSA-2q4g-w47c-4674
cvssv3.1_qr HIGH https://github.com/electron/electron/security/advisories/GHSA-2q4g-w47c-4674
generic_textual HIGH https://github.com/electron/electron/security/advisories/GHSA-2q4g-w47c-4674
cvssv2 5.8 https://nvd.nist.gov/vuln/detail/CVE-2020-15174
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2020-15174
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2020-15174
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2020-15174
https://github.com/electron/electron
https://github.com/electron/electron/commit/18613925610ba319da7f497b6deed85ad712c59b
https://github.com/electron/electron/security/advisories/GHSA-2q4g-w47c-4674
https://nvd.nist.gov/vuln/detail/CVE-2020-15174
cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*
GHSA-2q4g-w47c-4674 https://github.com/advisories/GHSA-2q4g-w47c-4674
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L Found at https://github.com/electron/electron
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L Found at https://github.com/electron/electron/commit/18613925610ba319da7f497b6deed85ad712c59b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L Found at https://github.com/electron/electron/security/advisories/GHSA-2q4g-w47c-4674
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2020-15174
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2020-15174
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.41134
EPSS Score 0.00189
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:45:54.396002+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-2q4g-w47c-4674/GHSA-2q4g-w47c-4674.json 37.0.0