GHSA-8xwg-wv7v-4vqp

Suggest an improvement
Source
https://github.com/advisories/GHSA-8xwg-wv7v-4vqp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/03/GHSA-8xwg-wv7v-4vqp/GHSA-8xwg-wv7v-4vqp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8xwg-wv7v-4vqp
Aliases
Published
2018-03-26T16:41:17Z
Modified
2023-11-08T03:59:35.638763Z
Severity
  • CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration
Details

A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it.

For the application to be impacted by this vulnerability it must meet all of these conditions

  • Runs on Electron 1.7, 1.8, or a 2.0.0-beta
  • Allows execution of arbitrary remote code
  • Disables Node.js integration
  • Does not explicitly declare webviewTag: false in its webPreferences
  • Does not enable the nativeWindowOption option
  • Does not intercept new-window events and manually override event.newGuest without using the supplied options tag

Recommendation

Update to electron version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later.

If you are unable to update your Electron version can mitigate the vulnerability with the following code.

app.on('web-contents-created', (event, win) => {
  win.on('new-window', (event, newURL, frameName, disposition,
                        options, additionalFeatures) => {
    if (!options.webPreferences) options.webPreferences = {};
    options.webPreferences.nodeIntegration = false;
    options.webPreferences.nodeIntegrationInWorker = false;
    options.webPreferences.webviewTag = false;
    delete options.webPreferences.preload;
  })
})

// and *IF* you don't use WebViews at all,
// you might also want
app.on('web-contents-created', (event, win) => {
  win.on('will-attach-webview', (event, webPreferences, params) => {
    event.preventDefault();
  })
})
References

Affected packages

npm / electron

Package

Affected ranges

Type
SEMVER
Events
Introduced
1.7.0
Fixed
1.7.13

npm / electron

Package

Affected ranges

Type
SEMVER
Events
Introduced
1.8.0
Fixed
1.8.4

npm / electron

Package

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0-beta.1
Fixed
2.0.0-beta.5