Find, fix and prevent vulnerabilities in your code.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion'). Type confusion in V8 in Google Chrome allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 12.0.12, 11.4.9 or higher.

References

• GitHub PR
• GitHub PR
• GitHub Release
• GitHub Release
• CISA - Known Exploited Vulnerabilities
• PoC in GitHub

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access Restriction Bypass in Blink.

Remediation

Upgrade electron to version 13.5.0, 12.2.0 or higher.

References

• GitHub PR
• GitHub PR
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap Buffer Overflow via WebAudio.

Remediation

Upgrade electron to version 11.4.0, 10.4.1 or higher.

References

• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow. A heap buffer overflow flaw was found in the UI component of the Chromium browser.

Remediation

Upgrade electron to version 9.4.0, 10.2.0 or higher.

References

• Chrome Release Update
• RedHat Bugzilla Bug

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow via the WebRTC module in Chromium.

Remediation

Upgrade electron to version 14.2.0, 13.5.2, 12.2.3 or higher.

References

• GitHub PR
• GitHub PR
• GitHub PR
• GitHub Release
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the ANGLE component.

Remediation

Upgrade electron to version 26.6.5, 27.2.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow via a crafted HTML page. An attacker can potentially exploit heap corruption by deceiving a user to visit a malicious web page.

Remediation

Upgrade electron to version 27.3.3 or higher.

References

• Chrome Releases
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the ANGLE component. An attacker can potentially exploit heap corruption through a crafted HTML page.

Remediation

Upgrade electron to version 27.3.11, 28.3.1, 29.3.1 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow through the WebRTC component. An attacker can cause heap corruption and potentially execute arbitrary code by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3, 30.1.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Access Control. An insufficient policy enforcement flaw was found in the networking component of chromium.

Remediation

Upgrade electron to version 9.4.0, 10.1.7 or higher.

References

• Chrome Release Update
• Electron - GitHub PR
• RedHat Bugzilla Bug

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Access Control due to an inappropriate implementation in Extensions. An attacker can bypass site isolation.

Remediation

Upgrade electron to version 31.7.4, 32.2.3 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation. An insufficient data validation flaw was found in the WASM component of the Chromium browser.

Remediation

Upgrade electron to version 9.4.0, 10.1.7 or higher.

References

• Chrome Release Update
• GitHub Commit
• RedHat Bugzilla Bug

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer due to an inappropriate implementation in the V8 engine. An attacker can potentially perform out of bounds memory access by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.3.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Integer Overflow via Chromium in Mojo.

Remediation

Upgrade electron to version 10.4.4 or higher.

References

• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the Mojo component of chromium.

Remediation

Upgrade electron to version 10.4.4, 12.0.6 or higher.

References

• GitHub PR
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to handle reuse in Mojo.

Remediation

Upgrade electron to version 14.2.7, 15.4.0 or higher.

References

• GitHub PR
• GitHub PR
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Interger Underflow in ANGLE. A remote attacker could potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 14.2.5, 15.3.6 or higher.

References

• GitHub PR
• Github Release 14.2.5
• Github Release 15.3.6

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds. Object lifecycle issue in audio.

Remediation

Upgrade electron to version 11.4.0, 10.4.1 or higher.

References

• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read allowing a remote attacker to exploit heap corruption via a crafted HTML page.

Note: The Stable channel has been updated to 120.0.6099.234 for Mac devices.

Remediation

Upgrade electron to version 26.6.7 or higher.

References

• Chrome Releases
• GitHub Commit
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read through the V8 engine. An attacker can access memory locations outside of the intended boundary by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read via a crafted HTML page. An attacker can access memory locations outside the intended boundary by crafting a malicious HTML page that triggers the flaw.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write via a data race in the audio component. A remote attacker could potentially exploit heap corruption using a crafted HTML page.

Remediation

Upgrade electron to version 10.4.1, 11.4.1 or higher.

References

• GitHub PR
• GitHub Release
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds Write through the Streams API. An attacker can execute arbitrary code within a sandboxed environment by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Privilege Context Switching Error in libuv's handling of io_uring operations called before calling setuid(). This allows users to elevate privileges.

PoC

const { spawn } = require('node:child_process');
const process = require('process');

process.env['UV_USE_IO_URING']=1;

process.setuid(400);
const ls = spawn('cmd.exe', [' whoami']);

ls.stdout.on('data', (data) => {
    console.log(`stdout: ${data}`);
  });
  
ls.stderr.on('data', (data) => {
    console.error(`stderr: ${data}`);
  });
  
ls.on('close', (code) => {
    console.log(`child process exited with code ${code}`);
  });

console.log("The user identity of the Node.js" + " process:", process.getuid());

Remediation

Upgrade electron to version 29.4.0 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• PoC

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8.

Remediation

Upgrade electron to version 12.0.10, 11.4.8, 10.4.7 or higher.

References

• Chromium Security Advisory
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Release
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8 via Chrome.

Remediation

Upgrade electron to version 12.0.16, 11.4.11 or higher.

References

• GitHub PR
• GitHub PR
• GitHub Release Notes
• GitHub Release Notes
• PoC
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion via Blink layout in Chrome.

Remediation

Upgrade electron to version 13.5.0, 12.2.0 or higher.

References

• GitHub PR
• GitHub PR
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8. This allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 13.6.3, 14.2.2, 15.3.3 or higher.

References

• Chrome Release
• GitHub PR 13.x.y Branch
• GitHub PR 14.x.y Branch
• GitHub PR 15.x.y Branch

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in loader in Google Chrome. This can lead to heap corruption which is exploited through a crafted HTML page.

Remediation

Upgrade electron to version 13.6.6, 14.2.4, 15.3.5 or higher.

References

• Chrome Release
• Chromium Bug Report
• GitHub PR 13.x.y Branch
• GitHub PR 14.x.y Branch
• GitHub PR 15.x.y Branch
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8 in Google Chrome allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 13.6.8, 14.2.5, 15.3.6 or higher.

References

• Chrome Releases
• GitHub PR 13.x.y Branch
• GitHub PR 14.x.y Branch
• GitHub PR 15.x.y Branch

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8.

Remediation

Upgrade electron to version 17.4.11, 18.3.6 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR
• Google Advisory

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8.

Remediation

Upgrade electron to version 19.1.5, 20.3.5 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR
• GitHub Release
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion due to the V8 process. An attacker can potentially perform arbitrary read/write by exploiting a crafted HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• Github Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. A use after free flaw was found in the PPAPI component of the Chromium browser.

Remediation

Upgrade electron to version 9.4.0, 10.2.0 or higher.

References

• Chrome Release Update
• RedHat Bugzilla Bug

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Media.

Remediation

Upgrade electron to version 11.2.1, 9.4.4 or higher.

References

• Chromium Security Advisory
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. It hands sub-queries with both a correlated WHERE clause and a HAVING 0 clause where the parent query is itself an aggregate.

Remediation

Upgrade electron to version 11.2.1, 9.4.4 or higher.

References

• Chromium Security Advisory
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. When a LayoutInline is removed, LineBoxList::DirtyLinesFromChangedChild tries to mark affected RootInlineBox dirty.

When the |LayoutInline| to be removed is culled, it tries to find the RootInlineBox from its previous siblings, then look for its previous and next RootInlineBoxes.

Occasionally, the next next line of the previous sibling is wrapped at the LayoutInline, and that its LineBreakObj() holds the reference to the LayoutInline. This patch marks such RootInlineBox dirty.

Remediation

Upgrade electron to version 11.4.0, 10.4.1 or higher.

References

• GitHub PR
• GitHub PR
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebRTC.

Remediation

Upgrade electron to version 11.4.0, 10.4.1 or higher.

References

• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. It allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 10.4.2, 11.4.1 or higher.

References

• GitHub PR
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via a vulnerability that exists in Blink in Chromium. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.

Remediation

Upgrade electron to version 11.4.4, 10.4.4 or higher.

References

• GitHub PR
• GitHub PR
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via Chrome which allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 12.0.5, 11.4.4, 10.4.4 or higher.

References

• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via chromium which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 12.0.5, 11.4.4, 10.4.4 or higher.

References

• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via Aura in Google Chrome which allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 12.0.5, 11.4.4, 10.4.4 or higher.

References

• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Navigation component of chromium.

Remediation

Upgrade electron to version 10.4.4, 11.4.4, 12.0.6 or higher.

References

• GitHub PR
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the chromium extensions resource.

Remediation

Upgrade electron to version 11.4.4, 10.4.4 or higher.

References

• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in File API.

Remediation

Upgrade electron to version 12.0.10, 11.4.8, 10.4.7 or higher.

References

• Chromium Security Advisory
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Release
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Notifications.

Remediation

Upgrade electron to version 12.0.10, 11.4.8, 10.4.7 or higher.

References

• Chromium Security Advisory
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Release
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. Use after free in Loader in Google Chrome allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 12.0.12, 11.4.9 or higher.

References

• GitHub PR
• GitHub PR
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in BFCache in Google Chrome, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 12.0.13, 11.4.9 or higher.

References

• GitHub PR
• GitHub PR
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebGL.

Remediation

Upgrade electron to version 12.0.13, 11.4.10 or higher.

References

• Chromium Security Advisory
• GitHub PR
• GitHub PR
• GitHub Release
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebRTC.

Remediation

Upgrade electron to version 12.0.14, 11.4.10 or higher.

References

• GitHub Commit
• GitHub PR
• GitHub PR
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebAudio.

Remediation

Upgrade electron to version 12.0.14, 11.4.10 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Blink XSLT.

Remediation

Upgrade electron to version 12.0.16, 11.4.11 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR
• GitHub Release Notes
• GitHub Release Notes

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebSerial via Chrome.

Remediation

Upgrade electron to version 12.0.16, 11.4.11 or higher.

References

• GitHub PR
• GitHub PR
• GitHub Release Notes 11.4.11
• GitHub Release Notes 12.0.16

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in V8 via Chrome.

Remediation

Upgrade electron to version 12.0.16, 11.4.11 or higher.

References

• GitHub PR
• GitHub PR
• Github Release Notes
• GitHub Release Notes

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in GPU.

Remediation

Upgrade electron to version 13.1.8, 12.0.16, 11.4.11 or higher.

References

• GitHub Release
• GitHub Release
• GitHub Release
• PoC in GitHub

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Autofill.

Remediation

Upgrade electron to version 12.0.16, 11.4.11 or higher.

References

• GitHub PR
• GitHub PR
• GitHub Release Notes
• GitHub Release Notes

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Indexed DB API.

Remediation

Upgrade electron to version 13.5.0, 12.2.0 or higher.

References

• GitHub PR
• GitHub PR
• GitHub Relase
• GitHub Release
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via heap corruption through a crafted HTML page.

Remediation

Upgrade electron to version 14.1.1, 13.5.2, 12.2.2 or higher.

References

• GitHub PR 12.2.2
• GitHub PR 13.5.2
• GitHub PR 14.1.1
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the file system API, through a heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 14.1.1, 13.5.2, 12.2.2 or higher.

References

• GitHub PR 12.2.2
• GitHub PR 13.5.2
• GitHub PR 14.1.1

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Garbage Collection module in Chromium.

Remediation

Upgrade electron to version 14.2.1, 13.6.2, 12.2.3 or higher.

References

• GitHub PR
• GitHub PR
• GitHub PR
• GitHub Release
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Web Transport module in Chromium.

Remediation

Upgrade electron to version 14.2.1, 13.6.2 or higher.

References

• GitHub PR
• GitHub PR
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in loader in Google Chrome. This allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 13.6.3, 14.2.2, 15.3.3 or higher.

References

• Chrome Release
• GitHub PR 13.x.y Branch
• GitHub PR 14.x.y Branch
• GitHub PR 15.x.y Branch

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the storage foundation, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page

Remediation

Upgrade electron to version 16.0.0 or higher.

References

• GitHub PR 13.x.y Branch
• GitHub PR 14.x.y Branch
• GitHub PR 15.x.y Branch

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in media in Google Chrome which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 15.3.5 or higher.

References

• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via file API in Google Chrome prior to 96.0.4664.93. It allows a remote attacker who have compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 13.6.6, 14.2.4, 15.3.5 or higher.

References

• Chrome Release
• Chromium Bug Report
• GitHub PR
• GitHub Release
• GitHub Release
• Github Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free on context loss.

Remediation

Upgrade electron to version 14.2.7, 15.4.0, 16.0.10 or higher.

References

• GitHub PR
• Github Releases
• Github Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free when the source framebuffer's extents were accidentally used instead of the blit area extents.

Remediation

Upgrade electron to version 14.2.7, 15.4.0, 16.0.10 or higher.

References

• GitHub Commit
• GitHub PR
• GitHub PR
• GitHub PR
• Release Notes
• Release Notes
• Release Notes

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the BFCache, due to the attempts to cache an interstitial which results in a crash.

Remediation

Upgrade electron to version 16.2.4, 17.4.2 or higher.

References

• GitHub Fix Commit Version 16.x
• GitHub Fix Commit Version 17.x
• GitHub PR
• Google Blog

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in regular expressions (V8).

Remediation

Upgrade electron to version 15.5.3, 16.2.4, 17.4.2 or higher.

References

• Chrome Releases
• GitHub PR 15.x.y
• GitHub PR 16.x.y
• GitHub PR 17.x.y
• GitHub Release 15.5.3
• GitHub Release 16.2.4
• GitHub Release 17.4.2

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Angle, when pausing XFB then deleting a buffer.

Remediation

Upgrade electron to version 15.5.4, 16.2.6, 17.4.3 or higher.

References

• GitHub PR
• GitHub Release
• Github Releases
• Github Releases
• Google Blog

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Vulkan.

Remediation

Upgrade electron to version 15.5.6, 16.2.6, 17.4.4 or higher.

References

• GitHub PR
• GitHub PR
• GitHub Release
• Github Releases
• Github Releases
• Google Blog

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in File System API.

Remediation

Upgrade electron to version 16.2.6, 17.4.3, 18.2.2 or higher.

References

• GitHub PR
• GitHub Release
• Github Releases
• Github Releases
• Google Blog

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in SwiftShader.

Remediation

Upgrade electron to version 15.5.4, 16.2.5, 17.4.3 or higher.

References

• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to improper cache state validation after the XFB buffer was deleted.

Remediation

Upgrade electron to version 15.5.6, 16.2.7, 17.4.5 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR
• GitHub PR
• GitHub Release
• Google Blog

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Angle.

Remediation

Upgrade electron to version 17.4.8, 18.3.4 or higher.

References

• Chrome Releases
• GitHub PR
• GitHub PR
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free when glBufferData redefines a buffer and the new buffer is smaller than the old buffer.

Remediation

Upgrade electron to version 18.3.11, 19.0.15 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Blink, when a DisplayLock is unlocked via ForceUnlockIfNeeded.

Remediation

Upgrade electron to version 18.3.11 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in SwiftShader.

Remediation

Upgrade electron to version 19.0.15 or higher.

References

• Chrome Releases
• GitHub PR
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebSQL

Remediation

Upgrade electron to version 18.3.14, 20.1.4 or higher.

References

• Chrome Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebSQL.

Remediation

Upgrade electron to version 18.3.12, 19.0.16, 20.1.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Layout.

Remediation

Upgrade electron to version 19.1.0, 18.3.14 or higher.

References

• Chrome Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Network Service

Remediation

Upgrade electron to version 20.1.2, 19.1.0, 18.3.12 or higher.

References

• Chrome Releases
• Electron v20.1.2 Release
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Frames, via a crafted HTML page.

Remediation

Upgrade electron to version 18.3.14, 19.1.0 or higher.

References

• Chrome Releases
• GitHub PR
• GitHub Releases
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Layout.

Remediation

Upgrade electron to version 19.1.5, 20.3.5 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebCodecs, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 19.1.7, 20.3.7 or higher.

References

• Chrome Releases
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Web Workers, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 19.1.7, 20.3.7 or higher.

References

• Chrome Releases
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Mojo, via heap corruption.

Remediation

Upgrade electron to version 20.3.9, 21.4.0 or higher.

References

• Chrome Releases
• GitHub Releases v20.3.9
• GitHub Releases v21.4.0

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebRTC, causing heap corruption.

Remediation

Upgrade electron to version 20.3.12, 21.4.2 or higher.

References

• Chrome Releases
• GitHub New Releases
• GitHub New Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the WebAudio component. An attacker can potentially exploit heap corruption by convincing a user to visit a crafted HTML page.

Remediation

Upgrade electron to version 26.6.5, 27.2.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Web Audio feature. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 26.6.8, 27.3.1 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to the improper handling of objects in memory in the Dawn component. An attacker can potentially exploit heap corruption through a crafted HTML page.

Remediation

Upgrade electron to version 27.3.9, 28.2.10, 29.2.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to improper handling in the WebCodecs component. An attacker can achieve arbitrary read/write access by crafting a malicious HTML page.

Remediation

Upgrade electron to version 27.3.9, 28.2.10, 29.2.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to improper handling of objects in memory in the Dawn component. An attacker can cause heap corruption and potentially execute arbitrary code by convincing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 27.3.11, 28.3.1, 29.3.1 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Media Session process. An attacker can execute arbitrary code inside a sandbox by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Dawn process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Dawn component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the scheduling process. An attacker can execute arbitrary code inside a sandbox by using a crafted HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• Github Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to the improper handling of memory in the Dawn process. An attacker can cause heap corruption by crafting a malicious HTML page.

Note: 126.0.6478.56 is the fixed version for Windows and Mac. Version 126.0.6478.54 fixes the vulnerability in Linux

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Dawn process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Note: 126.0.6478.56 is the fixed version for Windows and Mac. Version 126.0.6478.54 fixes the vulnerability in Linux

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') in v8.

Remediation

Upgrade electron to version 33.4.6, 34.3.4 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter via a crafted HTML page. An attacker can perform an out of bounds memory write by sending a specially crafted HTML content.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Skia

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Skia.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Skia.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Hidden Functionality via the commandLineSwitches webPreference. An attacker can inject arbitrary command-line switches into the renderer process by supplying untrusted configuration objects, potentially disabling security controls or sandboxing.

Note:

This is only exploitable if external or untrusted input is used to construct webPreferences without an explicit allowlist.

Workaround

This vulnerability can be mitigated by not spreading untrusted input into webPreferences and by using an explicit allowlist of permitted preference keys when constructing options from external configuration.

Remediation

Upgrade electron to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.

References

• GitHub Advisory
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Incorrect Calculation of Buffer Size via insufficient validation of untrusted input in ANGLE and GPU. An attacker can escape the sandbox by submitting a specially crafted HTML page.

Remediation

Upgrade electron to version 37.2.4 or higher.

References

• Chrome Releases
• Git Commit
• Git Commit
• Git Diff
• GitHub PR
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write via a crafted HTML page. An attacker can execute arbitrary code inside a sandbox by crafting a malicious HTML page.

Remediation

Upgrade electron to version 31.7.7 or higher.

References

• Chrome Releases
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write through a crafted HTML page. An attacker can execute arbitrary code inside a sandbox by crafting malicious HTML content.

Remediation

Upgrade electron to version 32.3.0 or higher.

References

• Chrome Releases
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write via a crafted HTML page. An attacker can potentially exploit heap corruption by sending a specially crafted HTML page to the victim.

Remediation

Upgrade electron to version 32.3.2, 33.4.2 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write through crafted HTML pages. An attacker can exploit heap corruption by sending a specially crafted HTML page to the victim.

Remediation

Upgrade electron to version 32.3.2, 33.4.2 or higher.

References

• Chrome Releases
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in v8 engine.

Remediation

Upgrade electron to version 32.3.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via MediaStreamTrackImpl. An attacker can cause heap corruption by enticing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 37.2.6 or higher.

References

• Chrome Releases
• Gerrit Code Review
• Git Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Dawn component.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Swiftshader process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.5, 30.2.0 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Dawn process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.5, 30.2.0 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to the improper handling of memory in the Dawn component. An attacker can cause heap corruption and potentially execute arbitrary code by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.5, 30.2.0 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Dawn component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.5, 30.2.0 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Dawn component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 30.4.0, 31.4.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR
• GitHub PR
• GitHub PR
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Loader component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 30.4.0, 31.4.0 or higher.

References

• Chrome Releases
• GitHub PR
• GitHub PR
• GitHub PR
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Dawn component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the WebAudio process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Serial process. An attacker can potentially exploit heap corruption.

Remediation

Upgrade electron to version 31.7.5, 32.2.5 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Compositing process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 31.7.7 or higher.

References

• Chrome Releases
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the V8 engine. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 33.4.3 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the V8 engine.

Remediation

Upgrade electron to version 32.3.3, 33.4.3 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via lack of support for escapes in PreParserIdentifier V8` process. An attacker can achieve heap corruption by enticing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 37.2.5 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the WebRTC component.

Remediation

Upgrade electron to version 17.4.11, 18.3.6 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR
• Google Advisory
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow through the V8 engine. An attacker can corrupt memory and potentially execute arbitrary code by crafting a malicious HTML page.

Note: This is only exploitable if the user navigates to or is redirected to a malicious web page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit
• GitHub Releases
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation. It allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Remediation

Upgrade electron to version 10.4.2, 11.4.1 or higher.

References

• GitHub PR
• GitHub PR #2
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds. Out of bounds memory access in V8 in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. This vulnerability relates to an electron component.

Remediation

Upgrade electron to version 10.4.2, 11.4.1 or higher.

References

• GitHub PR
• GitHub PR #2
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds when the V8 engine processes a carefully crafted HTML page. An attacker can perform an out of bounds memory read, thereby potentially gaining unauthorized access to sensitive information.

Remediation

Upgrade electron to version 22.3.23, 24.8.2, 25.8.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub Commit
• PoC

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds memory access in V8 component. This vulnerability allowed a remote attacker to perform arbitrary read/write via a crafted HTML page.

Remediation

Upgrade electron to version 27.3.10, 28.3.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read through the V8 engine. An attacker can access memory locations outside of the intended bounds by crafting a malicious HTML page.

Note: This is only exploitable if the user navigates to or is redirected to a malicious web page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit
• GitHub Releases
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write allowing a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Note: The Stable channel has been updated to 120.0.6099.234 for Mac devices.

Remediation

Upgrade electron to version 26.6.6, 27.2.3, 28.1.4 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write in Dawn.

Remediation

Upgrade electron to version 31.7.4, 32.2.3 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in InferHasInPrototypeChain of the V8 engine.

Remediation

Upgrade electron to version 31.7.1, 32.2.1 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion via the V8 engine.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via improper handling of possible socket destruction in P2PSocketTcpBase. An attacker can achieve heap corruption and potentially execute arbitrary code by enticing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 37.2.4 or higher.

References

• Chrome Releases
• Git Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Mojo runtime libraries collection. This allows an attacker to exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 27.3.4, 28.2.5 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Audio process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Releases
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Navigation process. An attacker can exploit heap corruption by convincing a user to install a malicious extension.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Releases
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via specific UI gestures in the Screen Capture feature. An attacker can potentially exploit heap corruption by convincing a user to visit a crafted HTML page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Releases
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Media Stream process. An attacker can potentially exploit heap corruption by convincing a user to perform specific UI gestures on a crafted HTML page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Releases
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Access Control via nested unserializable return value when using contextIsolation and contextBridge are affected. Exploiting this vulnerability allows code running in the main world context in the renderer to reach into the isolated Electron context and perform privileged actions.

Note

This issue is exploitable under either of two conditions:

1. If an API exposed to the main world via contextBridge can return an object or array that contains a JS object that cannot be serialized, such as a canvas rendering context. This would normally result in an Error: object could not be cloned exception being thrown.

2. If an API exposed to the main world via contextBridge has a return value that throws a user-generated exception while being sent over the bridge, such as a dynamic getter property on an object that throws an error when being computed.

Workaround

The app-side workaround is to ensure that such a case, as mentioned in the workaround section, is not possible.

Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.

Auditing your exposed API is likely to be quite difficult, so we strongly recommend you update to a patched version of Electron.

Remediation

Upgrade electron to version 23.2.3, 25.0.0-alpha.2 or higher.

References

• GitHub Advisory

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via incomplete sanitization of certain SVG and MathML attributes, including xlink:href, math|href, as well as the attributeName attribute of SVG animation elements when it is bound to href or xlink:href. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload into these attributes, which is then triggered either by user interaction or automatically through animation.

Workaround

This vulnerability can be mitigated by:

1. Ensuring that data bound to the vulnerable attributes is never sourced from untrusted user input

2. Avoiding affected template bindings

3. Not binding untrusted data to the attributeName attribute of SVG animation elements

4. Enabling a robust Content Security Policy (CSP) that disallows javascript: URLs.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Affected environments

The following environments are susceptible to an XSS attack:

• Web servers
• Application servers
• Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

• Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
• Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
• Give users the option to disable client-side scripts.
• Redirect invalid requests.
• Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
• Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
• Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade @angular/compiler to version 19.2.17, 20.3.15, 21.0.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read in GPU Video in Google Chrome prior to 111.0.5563.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 22.3.5 or higher.

References

• Chrome Releases
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. Since JavaScript may detach the underlying buffers, they need to be checked to ensure they're still valid before using them for decoding.

Remediation

Upgrade electron to version 10.2.0, 9.4.4 or higher.

References

• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Insecure Defaults. Insufficient policy enforcement in the File System API of chromium allows a remote attacker to bypass filesystem restrictions via a crafted HTML page.

Remediation

Upgrade electron to version 10.4.1, 11.4.1 or higher.

References

• GitHub PR
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write in the Compositing process. An attacker can potentially perform a sandbox escape by exploiting specific UI gestures. This is only exploitable if the attacker has already compromised the GPU process.

Remediation

Upgrade electron to version 27.3.11, 28.3.1, 29.3.1 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the WebGPU process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 26.6.5, 27.2.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR