Find, fix and prevent vulnerabilities in your code.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the ANGLE component.

Remediation

Upgrade electron to version 26.6.5, 27.2.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow via a crafted HTML page. An attacker can potentially exploit heap corruption by deceiving a user to visit a malicious web page.

Remediation

Upgrade electron to version 27.3.3 or higher.

References

• Chrome Releases
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the ANGLE component. An attacker can potentially exploit heap corruption through a crafted HTML page.

Remediation

Upgrade electron to version 27.3.11, 28.3.1, 29.3.1 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow through the WebRTC component. An attacker can cause heap corruption and potentially execute arbitrary code by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3, 30.1.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Access Control due to an inappropriate implementation in Extensions. An attacker can bypass site isolation.

Remediation

Upgrade electron to version 31.7.4, 32.2.3 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer due to an inappropriate implementation in the V8 engine. An attacker can potentially perform out of bounds memory access by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.3.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read allowing a remote attacker to exploit heap corruption via a crafted HTML page.

Note: The Stable channel has been updated to 120.0.6099.234 for Mac devices.

Remediation

Upgrade electron to version 26.6.7 or higher.

References

• Chrome Releases
• GitHub Commit
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read through the V8 engine. An attacker can access memory locations outside of the intended boundary by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read via a crafted HTML page. An attacker can access memory locations outside the intended boundary by crafting a malicious HTML page that triggers the flaw.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds Write through the Streams API. An attacker can execute arbitrary code within a sandboxed environment by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Privilege Context Switching Error in libuv's handling of io_uring operations called before calling setuid(). This allows users to elevate privileges.

PoC

const { spawn } = require('node:child_process');
const process = require('process');

process.env['UV_USE_IO_URING']=1;

process.setuid(400);
const ls = spawn('cmd.exe', [' whoami']);

ls.stdout.on('data', (data) => {
    console.log(`stdout: ${data}`);
  });
  
ls.stderr.on('data', (data) => {
    console.error(`stderr: ${data}`);
  });
  
ls.on('close', (code) => {
    console.log(`child process exited with code ${code}`);
  });

console.log("The user identity of the Node.js" + " process:", process.getuid());

Remediation

Upgrade electron to version 29.4.0 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• PoC

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8.

Remediation

Upgrade electron to version 17.4.11, 18.3.6 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR
• Google Advisory

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8.

Remediation

Upgrade electron to version 19.1.5, 20.3.5 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR
• GitHub Release
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion due to the V8 process. An attacker can potentially perform arbitrary read/write by exploiting a crafted HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• Github Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the storage foundation, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page

Remediation

Upgrade electron to version 16.0.0 or higher.

References

• GitHub PR 13.x.y Branch
• GitHub PR 14.x.y Branch
• GitHub PR 15.x.y Branch

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the BFCache, due to the attempts to cache an interstitial which results in a crash.

Remediation

Upgrade electron to version 16.2.4, 17.4.2 or higher.

References

• GitHub Fix Commit Version 16.x
• GitHub Fix Commit Version 17.x
• GitHub PR
• Google Blog

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in File System API.

Remediation

Upgrade electron to version 16.2.6, 17.4.3, 18.2.2 or higher.

References

• GitHub PR
• GitHub Release
• Github Releases
• Github Releases
• Google Blog

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Angle.

Remediation

Upgrade electron to version 17.4.8, 18.3.4 or higher.

References

• Chrome Releases
• GitHub PR
• GitHub PR
• GitHub Release
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free when glBufferData redefines a buffer and the new buffer is smaller than the old buffer.

Remediation

Upgrade electron to version 18.3.11, 19.0.15 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Blink, when a DisplayLock is unlocked via ForceUnlockIfNeeded.

Remediation

Upgrade electron to version 18.3.11 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in SwiftShader.

Remediation

Upgrade electron to version 19.0.15 or higher.

References

• Chrome Releases
• GitHub PR
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebSQL

Remediation

Upgrade electron to version 18.3.14, 20.1.4 or higher.

References

• Chrome Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebSQL.

Remediation

Upgrade electron to version 18.3.12, 19.0.16, 20.1.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Layout.

Remediation

Upgrade electron to version 19.1.0, 18.3.14 or higher.

References

• Chrome Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Network Service

Remediation

Upgrade electron to version 20.1.2, 19.1.0, 18.3.12 or higher.

References

• Chrome Releases
• Electron v20.1.2 Release
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Frames, via a crafted HTML page.

Remediation

Upgrade electron to version 18.3.14, 19.1.0 or higher.

References

• Chrome Releases
• GitHub PR
• GitHub Releases
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Layout.

Remediation

Upgrade electron to version 19.1.5, 20.3.5 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebCodecs, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 19.1.7, 20.3.7 or higher.

References

• Chrome Releases
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Web Workers, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 19.1.7, 20.3.7 or higher.

References

• Chrome Releases
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Mojo, via heap corruption.

Remediation

Upgrade electron to version 20.3.9, 21.4.0 or higher.

References

• Chrome Releases
• GitHub Releases v20.3.9
• GitHub Releases v21.4.0

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebRTC, causing heap corruption.

Remediation

Upgrade electron to version 20.3.12, 21.4.2 or higher.

References

• Chrome Releases
• GitHub New Releases
• GitHub New Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the WebAudio component. An attacker can potentially exploit heap corruption by convincing a user to visit a crafted HTML page.

Remediation

Upgrade electron to version 26.6.5, 27.2.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Web Audio feature. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 26.6.8, 27.3.1 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to the improper handling of objects in memory in the Dawn component. An attacker can potentially exploit heap corruption through a crafted HTML page.

Remediation

Upgrade electron to version 27.3.9, 28.2.10, 29.2.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to improper handling in the WebCodecs component. An attacker can achieve arbitrary read/write access by crafting a malicious HTML page.

Remediation

Upgrade electron to version 27.3.9, 28.2.10, 29.2.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to improper handling of objects in memory in the Dawn component. An attacker can cause heap corruption and potentially execute arbitrary code by convincing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 27.3.11, 28.3.1, 29.3.1 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Media Session process. An attacker can execute arbitrary code inside a sandbox by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Dawn process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Dawn component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the scheduling process. An attacker can execute arbitrary code inside a sandbox by using a crafted HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• Github Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to the improper handling of memory in the Dawn process. An attacker can cause heap corruption by crafting a malicious HTML page.

Note: 126.0.6478.56 is the fixed version for Windows and Mac. Version 126.0.6478.54 fixes the vulnerability in Linux

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Dawn process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Note: 126.0.6478.56 is the fixed version for Windows and Mac. Version 126.0.6478.54 fixes the vulnerability in Linux

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') in v8.

Remediation

Upgrade electron to version 33.4.6, 34.3.4 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter via a crafted HTML page. An attacker can perform an out of bounds memory write by sending a specially crafted HTML content.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Skia

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Skia.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Skia.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Incorrect Calculation of Buffer Size via insufficient validation of untrusted input in ANGLE and GPU. An attacker can escape the sandbox by submitting a specially crafted HTML page.

Remediation

Upgrade electron to version 37.2.4 or higher.

References

• Chrome Releases
• Git Commit
• Git Commit
• Git Diff
• GitHub PR
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write via a crafted HTML page. An attacker can execute arbitrary code inside a sandbox by crafting a malicious HTML page.

Remediation

Upgrade electron to version 31.7.7 or higher.

References

• Chrome Releases
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write through a crafted HTML page. An attacker can execute arbitrary code inside a sandbox by crafting malicious HTML content.

Remediation

Upgrade electron to version 32.3.0 or higher.

References

• Chrome Releases
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write via a crafted HTML page. An attacker can potentially exploit heap corruption by sending a specially crafted HTML page to the victim.

Remediation

Upgrade electron to version 32.3.2, 33.4.2 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write through crafted HTML pages. An attacker can exploit heap corruption by sending a specially crafted HTML page to the victim.

Remediation

Upgrade electron to version 32.3.2, 33.4.2 or higher.

References

• Chrome Releases
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in v8 engine.

Remediation

Upgrade electron to version 32.3.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via MediaStreamTrackImpl. An attacker can cause heap corruption by enticing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 37.2.6 or higher.

References

• Chrome Releases
• Gerrit Code Review
• Git Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Dawn component.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Swiftshader process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.5, 30.2.0 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Dawn process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.5, 30.2.0 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to the improper handling of memory in the Dawn component. An attacker can cause heap corruption and potentially execute arbitrary code by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.5, 30.2.0 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Dawn component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.5, 30.2.0 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Dawn component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 30.4.0, 31.4.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR
• GitHub PR
• GitHub PR
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Loader component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 30.4.0, 31.4.0 or higher.

References

• Chrome Releases
• GitHub PR
• GitHub PR
• GitHub PR
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Dawn component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the WebAudio process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Serial process. An attacker can potentially exploit heap corruption.

Remediation

Upgrade electron to version 31.7.5, 32.2.5 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Compositing process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 31.7.7 or higher.

References

• Chrome Releases
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the V8 engine. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 33.4.3 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the V8 engine.

Remediation

Upgrade electron to version 32.3.3, 33.4.3 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via lack of support for escapes in PreParserIdentifier V8` process. An attacker can achieve heap corruption by enticing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 37.2.5 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the WebRTC component.

Remediation

Upgrade electron to version 17.4.11, 18.3.6 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR
• Google Advisory
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow through the V8 engine. An attacker can corrupt memory and potentially execute arbitrary code by crafting a malicious HTML page.

Note: This is only exploitable if the user navigates to or is redirected to a malicious web page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit
• GitHub Releases
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds when the V8 engine processes a carefully crafted HTML page. An attacker can perform an out of bounds memory read, thereby potentially gaining unauthorized access to sensitive information.

Remediation

Upgrade electron to version 22.3.23, 24.8.2, 25.8.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub Commit
• PoC

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds memory access in V8 component. This vulnerability allowed a remote attacker to perform arbitrary read/write via a crafted HTML page.

Remediation

Upgrade electron to version 27.3.10, 28.3.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read through the V8 engine. An attacker can access memory locations outside of the intended bounds by crafting a malicious HTML page.

Note: This is only exploitable if the user navigates to or is redirected to a malicious web page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit
• GitHub Releases
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write allowing a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Note: The Stable channel has been updated to 120.0.6099.234 for Mac devices.

Remediation

Upgrade electron to version 26.6.6, 27.2.3, 28.1.4 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write in Dawn.

Remediation

Upgrade electron to version 31.7.4, 32.2.3 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in InferHasInPrototypeChain of the V8 engine.

Remediation

Upgrade electron to version 31.7.1, 32.2.1 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion via the V8 engine.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via improper handling of possible socket destruction in P2PSocketTcpBase. An attacker can achieve heap corruption and potentially execute arbitrary code by enticing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 37.2.4 or higher.

References

• Chrome Releases
• Git Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Mojo runtime libraries collection. This allows an attacker to exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 27.3.4, 28.2.5 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Audio process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Releases
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Navigation process. An attacker can exploit heap corruption by convincing a user to install a malicious extension.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Releases
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via specific UI gestures in the Screen Capture feature. An attacker can potentially exploit heap corruption by convincing a user to visit a crafted HTML page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Releases
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Media Stream process. An attacker can potentially exploit heap corruption by convincing a user to perform specific UI gestures on a crafted HTML page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

• Chrome Releases
• Chromium Issues
• GitHub Releases
• GitHub Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Access Control via nested unserializable return value when using contextIsolation and contextBridge are affected. Exploiting this vulnerability allows code running in the main world context in the renderer to reach into the isolated Electron context and perform privileged actions.

Note

This issue is exploitable under either of two conditions:

1. If an API exposed to the main world via contextBridge can return an object or array that contains a JS object that cannot be serialized, such as a canvas rendering context. This would normally result in an Error: object could not be cloned exception being thrown.

2. If an API exposed to the main world via contextBridge has a return value that throws a user-generated exception while being sent over the bridge, such as a dynamic getter property on an object that throws an error when being computed.

Workaround

The app-side workaround is to ensure that such a case, as mentioned in the workaround section, is not possible.

Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.

Auditing your exposed API is likely to be quite difficult, so we strongly recommend you update to a patched version of Electron.

Remediation

Upgrade electron to version 23.2.3, 25.0.0-alpha.2 or higher.

References

• GitHub Advisory

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read in GPU Video in Google Chrome prior to 111.0.5563.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 22.3.5 or higher.

References

• Chrome Releases
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write in the Compositing process. An attacker can potentially perform a sandbox escape by exploiting specific UI gestures. This is only exploitable if the attacker has already compromised the GPU process.

Remediation

Upgrade electron to version 27.3.11, 28.3.1, 29.3.1 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the WebGPU process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 26.6.5, 27.2.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the ANGLE component. An attacker can potentially exploit heap corruption by convincing a user to visit a crafted HTML page.

Remediation

Upgrade electron to version 26.6.5, 27.2.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Function Call with Incorrectly Specified Arguments via an incorrect handle provided in unspecified circumstances in Mojo. An attacker can reflect a broker-initiated transport back to a broker, which ultimately allows for handle leaks if the reflected transport is later used to deserialize another transport containing handles.

Remediation

Upgrade electron to version 36.3.0 or higher.

References

• GitHub Commit
• GitHub PR
• Google Chrome Advisory

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation in the USB component.

Remediation

Upgrade electron to version 25.9.4, 26.5.0, 27.0.4 or higher.

References

• Chrome Releases
• GitHub PR
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the USB component.

Remediation

Upgrade electron to version 25.9.4, 26.5.0, 27.0.4 or higher.

References

• Chrome Releases
• GitHub PR
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to NULL Pointer Dereference in V8, due to an object lifecycle issue involving scope inheritance.

Remediation

Upgrade electron to version 27.3.8, 28.2.9, 29.1.6 or higher.

References

• Chrome Releases
• Github Commit
• Github Commit
• GitHub Commit
• GitHub Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Animation component in Chromium.

Remediation

Upgrade electron to version 16.0.10, 17.1.0 or higher.

References

• Chrome Releases
• Electron PR
• GitHub Commit (CefSharp)
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in V8, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 19.1.7, 20.3.7 or higher.

References

• Chrome Releases
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Denial of Service (DoS) in PDF in Google Chrome, a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade electron to version 17.4.11, 18.3.7 or higher.

References

• Chrome Bug
• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to insufficient validation of untrusted input in V8.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade electron to version 18.3.14 or higher.

References

• Chrome Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to type confusion in V8, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 19.1.7, 20.3.7 or higher.

References

• Chrome Releases
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Denial of Service (DoS) via an Out of bounds memory access in V8.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade electron to version 27.3.6, 28.2.7, 29.1.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR

Overview

electron-updater is a module allowing applications to implement auto-update functionality.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature through the windowsExecutableCodeSignatureVerifier process. An attacker in control of an update manifest - via server compromise or other exploitation - can bypass signature verification of a downloaded file by tricking the application into verifying the signature on a different file instead.

Note: This is only exploitable on Windows.

Remediation

Upgrade electron-updater to version 6.3.0-alpha.6 or higher.

References

• GitHub Commit
• GitHub PR
• Vulnerable Code

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in WebGPU.

Remediation

Upgrade electron to version 16.2.5, 17.4.3 or higher.

References

• Github Fix Commit
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Crashpad in Google Chrome on Android, which allows a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Remediation

Upgrade electron to version 19.1.7, 20.3.7 or higher.

References

• Chrome Releases
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Network Service via a crafted HTML page and specific interactions.

Remediation

Upgrade electron to version 20.3.10, 21.3.5 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Metrics by allowing a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 21.4.4, 22.3.5 or higher.

References

• Chrome Releases

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in vp8 encoding in libvpx.

Remediation

Upgrade electron to version 22.3.25, 24.8.5, 25.8.4, 26.2.4, 27.0.0-beta.8 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR
• GitHub PR
• GitHub PR
• GitHub PR
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the WebRTC framework, used to provide Real-Time Communications (RTC) capabilities via JavaScript APIs.

Remediation

Upgrade electron to version 26.6.3, 27.2.0, 28.1.0 or higher.

References

• Chrome Releases
• CISA - Known Exploited Vulnerabilities

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the ANGLE process. An attacker can perform an out of bounds memory read via a crafted HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• Github Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the Dawn process. An attacker can perform an out of bounds memory write by exploiting a crafted HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

• Chrome Releases
• Github Commit

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion due to a type confusion in V8. A remote attacker could exploit heap corruption via a crafted HTML page.

Note: The Stable channel has been updated to 120.0.6099.234 for Mac devices.

Remediation

Upgrade electron to version 26.6.6, 27.2.3, 28.1.4 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.

Workaround

Users should change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it's necessary.

Remediation

Upgrade axios to version 0.28.0, 1.6.0 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub Issue
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read in WebRTC, exploitable via a crafted HTML page.

Remediation

Upgrade electron to version 22.3.16 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub PR
• GitHub Release

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Media Stream process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 26.6.3, 27.2.0 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read in Skia.

Remediation

Upgrade electron to version 31.7.2, 32.2.2 or higher.

References

• Chrome Releases
• GitHub Commit
• GitHub Commit
• GitHub PR