logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2018-1000136 electron

Package

Manager: npm
Name: electron
Vulnerable Version: >=1.7.0 <1.7.13 || >=1.8.0 <1.8.4 || >=2.0.0-beta.1 <2.0.0-beta.5

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01856 pctl0.82324

Details

Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it. For the application to be impacted by this vulnerability it must meet all of these conditions - Runs on Electron 1.7, 1.8, or a 2.0.0-beta - Allows execution of arbitrary remote code - Disables Node.js integration - Does not explicitly declare webviewTag: false in its webPreferences - Does not enable the nativeWindowOption option - Does not intercept new-window events and manually override event.newGuest without using the supplied options tag ## Recommendation Update to `electron` version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later. If you are unable to update your Electron version can mitigate the vulnerability with the following code. ```js app.on('web-contents-created', (event, win) => { win.on('new-window', (event, newURL, frameName, disposition, options, additionalFeatures) => { if (!options.webPreferences) options.webPreferences = {}; options.webPreferences.nodeIntegration = false; options.webPreferences.nodeIntegrationInWorker = false; options.webPreferences.webviewTag = false; delete options.webPreferences.preload; }) }) // and *IF* you don't use WebViews at all, // you might also want app.on('web-contents-created', (event, win) => { win.on('will-attach-webview', (event, webPreferences, params) => { event.preventDefault(); }) }) ```

Metadata

Created: 2018-03-26T16:41:17Z
Modified: 2023-09-13T19:06:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/03/GHSA-8xwg-wv7v-4vqp/GHSA-8xwg-wv7v-4vqp.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-8xwg-wv7v-4vqp
Finding: F184
Auto approve: 1