Closed rikako3 closed 10 months ago
The recent app release comes with @electron 26.2.1 (see "about" window in the app or respective line of the package.json
code sources file). According to CVE-2023-4863, @electron 26.2.1 got patched, so not affected.
I see, thanks for the quick response!
Hi, recently there was a vulnerability in libwebp, used by Chromium, which allows remote code execution by parsing a WebP image.
The original Chromium CVE is CVE-2023-4863 (score: 8.8), although somewhat confusingly there is also a separate libwebp CVE-2023-5129 (score: 10.0).
This also affects Electron applications, so I was wondering if this affects ElectronMail. Does ProtonMail support previewing WebP images? If so, I think it might be vulnerable. I see the current electron-builder version is 24.0.0, and the corresponding patched version is 24.8.3 according to the GitHub advisory.