Search for vulnerabilities
Vulnerability details: VCID-x33f-kyxy-aaas
Vulnerability ID VCID-x33f-kyxy-aaas
Aliases CVE-2023-29198
GHSA-p7v2-p9m8-qqg7
Summary Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps using `contextIsolation` and `contextBridge` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. This issue is only exploitable if an API exposed to the main world via `contextBridge` can return an object or array that contains a javascript object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown `Error: object could not be cloned`. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported. This issue has been fixed in versions `25.0.0-alpha.2`, `24.0.1`, `23.2.3`, and `22.3.6`.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-754 Improper Check for Unusual or Exceptional Conditions
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00072 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00072 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00072 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00072 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00072 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00072 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00072 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00072 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00087 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00087 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00087 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00087 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00089 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00089 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00089 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00089 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00089 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00089 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00089 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00089 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00089 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00089 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00089 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00089 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00412 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00412 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00412 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00412 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00412 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00412 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00412 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00412 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00412 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00412 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00412 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00412 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00412 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00412 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.00582 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
epss 0.0059 https://api.first.org/data/v1/epss?cve=CVE-2023-29198
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-p7v2-p9m8-qqg7
cvssv3.1 8.8 https://github.com/electron/electron
generic_textual HIGH https://github.com/electron/electron
cvssv3.1 6.0 https://github.com/electron/electron/security/advisories/GHSA-p7v2-p9m8-qqg7
cvssv3.1_qr MODERATE https://github.com/electron/electron/security/advisories/GHSA-p7v2-p9m8-qqg7
generic_textual MODERATE https://github.com/electron/electron/security/advisories/GHSA-p7v2-p9m8-qqg7
cvssv3 8.5 https://nvd.nist.gov/vuln/detail/CVE-2023-29198
cvssv3.1 8.5 https://nvd.nist.gov/vuln/detail/CVE-2023-29198
cvssv3.1 6.0 https://www.electronjs.org/docs/latest/api/context-bridge#parameter--error--return-type-support
generic_textual MODERATE https://www.electronjs.org/docs/latest/api/context-bridge#parameter--error--return-type-support
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-29198
https://github.com/electron/electron
https://github.com/electron/electron/security/advisories/GHSA-p7v2-p9m8-qqg7
https://www.electronjs.org/docs/latest/api/context-bridge#parameter--error--return-type-support
cpe:2.3:a:electronjs:electron:24.0.0:alpha1:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:24.0.0:alpha2:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:24.0.0:alpha3:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:24.0.0:alpha4:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:24.0.0:alpha5:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:24.0.0:alpha6:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:24.0.0:alpha7:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:24.0.0:beta1:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:24.0.0:beta2:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:24.0.0:beta3:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:24.0.0:beta4:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:24.0.0:beta5:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:24.0.0:beta6:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:24.0.0:beta7:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:beta7:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:24.0.0:-:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:24.0.0:-:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:25.0.0:alpha1:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:25.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
CVE-2023-29198 https://nvd.nist.gov/vuln/detail/CVE-2023-29198
GHSA-p7v2-p9m8-qqg7 https://github.com/advisories/GHSA-p7v2-p9m8-qqg7
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/electron/electron/security/advisories/GHSA-p7v2-p9m8-qqg7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-29198
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-29198
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L Found at https://www.electronjs.org/docs/latest/api/context-bridge#parameter--error--return-type-support
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.22667
EPSS Score 0.00072
Published At April 15, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.