Search for vulnerabilities
Vulnerability details: VCID-qt3z-catd-q7bu
Vulnerability ID VCID-qt3z-catd-q7bu
Aliases CVE-2023-23623
GHSA-gxh7-wv9q-fwfr
Summary Electron's Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled ### Impact A Content-Security-Policy that disables eval, specifically setting a `script-src` directive and _not_ providing `unsafe-eval` in that directive, is not respected in renderers that have sandbox and contextIsolation disabled. i.e. `sandbox: false` and `contextIsolation: false` in the `webPreferences` object. This resulted in incorrectly allowing usage of methods like `eval()` and `new Function`, which can result in an expanded attack surface. ### Patches This issue only ever affected the 22 and 23 major versions of Electron and has been fixed in the latest versions of those release lines. Specifically, these versions contain the fixes: - 22.0.1 - 23.0.0-alpha.2 We recommend all apps upgrade to the latest stable version of Electron, especially if they use `sandbox: false` or `contextIsolation: false`. ### Workarounds If upgrading isn't possible, this issue can be addressed without upgrading by enabling at least one of `sandbox: true` or `contextIsolation: true` on all renderers. ```js const mainWindow = new BrowserWindow({ webPreferences: { sandbox: true, } }); ``` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org). ### Credit Thanks to user @andreasdj for reporting this issue.
Status Published
Exploitability 0.5
Weighted Severity 8.8
Risk 4.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-670 Always-Incorrect Control Flow Implementation
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
epss 0.00501 https://api.first.org/data/v1/epss?cve=CVE-2023-23623
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-gxh7-wv9q-fwfr
cvssv3.1 7.5 https://github.com/electron/electron
generic_textual HIGH https://github.com/electron/electron
cvssv3.1 7.5 https://github.com/electron/electron/commit/9e7fbc7021d8d716c43782249a552e55289c35db
generic_textual HIGH https://github.com/electron/electron/commit/9e7fbc7021d8d716c43782249a552e55289c35db
cvssv3.1 7.5 https://github.com/electron/electron/pull/36667
generic_textual HIGH https://github.com/electron/electron/pull/36667
cvssv3.1 7.5 https://github.com/electron/electron/pull/36668
generic_textual HIGH https://github.com/electron/electron/pull/36668
cvssv3.1 7.5 https://github.com/electron/electron/releases/tag/v22.0.1
generic_textual HIGH https://github.com/electron/electron/releases/tag/v22.0.1
cvssv3.1 7.5 https://github.com/electron/electron/security/advisories/GHSA-gxh7-wv9q-fwfr
cvssv3.1_qr HIGH https://github.com/electron/electron/security/advisories/GHSA-gxh7-wv9q-fwfr
generic_textual HIGH https://github.com/electron/electron/security/advisories/GHSA-gxh7-wv9q-fwfr
ssvc Track https://github.com/electron/electron/security/advisories/GHSA-gxh7-wv9q-fwfr
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-23623
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2023-23623
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-23623
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-23623
https://github.com/electron/electron
https://github.com/electron/electron/commit/9e7fbc7021d8d716c43782249a552e55289c35db
https://github.com/electron/electron/pull/36667
https://github.com/electron/electron/pull/36668
https://github.com/electron/electron/releases/tag/v22.0.1
https://github.com/electron/electron/security/advisories/GHSA-gxh7-wv9q-fwfr
https://nvd.nist.gov/vuln/detail/CVE-2023-23623
cpe:2.3:a:electronjs:electron:22.0.0:beta1:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:22.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:22.0.0:beta2:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:22.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:22.0.0:beta3:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:22.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:22.0.0:beta4:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:22.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:22.0.0:beta5:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:22.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:22.0.0:beta6:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:22.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:22.0.0:beta7:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:22.0.0:beta7:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:22.0.0:beta8:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:22.0.0:beta8:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:22.0.0:-:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:22.0.0:-:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:23.0.0:alpha1:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:23.0.0:alpha1:*:*:*:node.js:*:*
GHSA-gxh7-wv9q-fwfr https://github.com/advisories/GHSA-gxh7-wv9q-fwfr
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/commit/9e7fbc7021d8d716c43782249a552e55289c35db
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/pull/36667
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/pull/36668
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/releases/tag/v22.0.1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/security/advisories/GHSA-gxh7-wv9q-fwfr
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-09-26T17:45:10Z/ Found at https://github.com/electron/electron/security/advisories/GHSA-gxh7-wv9q-fwfr
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-23623
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-23623
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.64944
EPSS Score 0.00501
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:41:11.254280+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-gxh7-wv9q-fwfr/GHSA-gxh7-wv9q-fwfr.json 37.0.0