This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
Non-Impacted Versions
9.0.0-beta.*
For more information
If you have any questions or comments about this advisory:
Apps using both contextIsolation and contextBridge are affected.
This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
For more information
If you have any questions or comments about this advisory:
This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
6.1.11
For more information
If you have any questions or comments about this advisory:
IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame.
If your app does ANY of the following, then it is impacted by this issue:
Uses remote
Calls webContents.sendToFrame
Calls event.reply in an IPC message handler
Patches
This has been fixed in the following versions:
9.4.0
10.2.0
11.1.0
12.0.0-beta.9
Workarounds
There are no workarounds for this issue.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.
All current stable versions of Electron are affected.
Patches
This was fixed with #30728, and the following Electron versions contain the fix:
15.0.0-alpha.10
14.0.0
13.3.0
12.1.0
11.5.0
Workarounds
If your app enables contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.
Further, if your app does not depend on the createThumbnailFromPath API, then you can simply disable the functionality. In the main process, before the 'ready' event:
This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.
All current stable versions of Electron are affected.
Patches
This has been patched and the following Electron versions contain the fix:
17.0.0-alpha.6
16.0.6
15.3.5
14.2.4
13.6.6
Workarounds
Adding this code to your app can workaround the issue.
This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer.
Please note the misleadingly named nodeIntegrationInSubFrames option does not implicitly grant Node.js access rather it depends on the existing sandbox setting. If your application is sandboxed then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs (which includes ipcRenderer).
If your application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled.
Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.6
17.2.0
16.2.6
15.5.5
Workarounds
Ensure that all IPC message handlers appropriately validate senderFrame as per our security tutorial here.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.
Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.
Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.6
17.2.0
16.2.0
15.5.0
Workarounds
There are no workarounds for this issue, please update to a patched version of Electron.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
6.0.12->15.5.5GitHub Vulnerability Alerts
CVE-2020-4076
Impact
Apps using
contextIsolationare affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.218.2.47.2.4Non-Impacted Versions
9.0.0-beta.*For more information
If you have any questions or comments about this advisory:
CVE-2020-4075
Impact
The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.
Workarounds
Ensure you are calling
event.preventDefault()on allnew-windowevents where theurloroptionsis not something you expect.Fixed Versions
9.0.0-beta.218.2.47.2.4For more information
If you have any questions or comments about this advisory:
CVE-2020-4077
Impact
Apps using both
contextIsolationandcontextBridgeare affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.218.2.47.2.4For more information
If you have any questions or comments about this advisory:
CVE-2020-15096
Impact
Apps using
contextIsolationare affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.218.2.47.2.46.1.11For more information
If you have any questions or comments about this advisory:
CVE-2020-26272
Impact
IPC messages sent from the main process to a subframe in the renderer process, through
webContents.sendToFrame,event.replyor when using theremotemodule, can in some cases be delivered to the wrong frame.If your app does ANY of the following, then it is impacted by this issue:
remotewebContents.sendToFrameevent.replyin an IPC message handlerPatches
This has been fixed in the following versions:
Workarounds
There are no workarounds for this issue.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
CVE-2021-39184
Impact
This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.
All current stable versions of Electron are affected.
Patches
This was fixed with #30728, and the following Electron versions contain the fix:
Workarounds
If your app enables
contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.Further, if your app does not depend on the
createThumbnailFromPathAPI, then you can simply disable the functionality. In the main process, before the 'ready' event:For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
CVE-2022-21718
Impact
This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom
select-bluetooth-deviceevent handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.All current stable versions of Electron are affected.
Patches
This has been patched and the following Electron versions contain the fix:
17.0.0-alpha.616.0.615.3.514.2.413.6.6Workarounds
Adding this code to your app can workaround the issue.
For more information If you have any questions or comments about this advisory, email us at security@electronjs.org.
CVE-2022-29247
Impact
This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with
nodeIntegrationInSubFramesenabled which in turn allows effective access toipcRenderer.Please note the misleadingly named
nodeIntegrationInSubFramesoption does not implicitly grant Node.js access rather it depends on the existingsandboxsetting. If your application is sandboxed thennodeIntegrationInSubFramesjust gives access to the sandboxed renderer APIs (which includesipcRenderer).If your application then additionally exposes IPC messages without IPC
senderFramevalidation that perform privileged actions or return confidential data this access toipcRenderercan in turn compromise your application / user even with the sandbox enabled.Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.617.2.016.2.615.5.5Workarounds
Ensure that all IPC message handlers appropriately validate
senderFrameas per our security tutorial here.For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
CVE-2022-29257
Impact
This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.
Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.
Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.617.2.016.2.015.5.0Workarounds
There are no workarounds for this issue, please update to a patched version of Electron.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.