Find, fix and prevent vulnerabilities in your code.
critical severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@37.2.5.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via the lack of limitation on max inlining ids in MaglevGraphBuilder. An attacker can achieve heap corruption and potentially execute arbitrary code by enticing a user to visit a specially crafted HTML page.
Remediation
Upgrade electron to version 37.2.5 or higher.
References
critical severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.1.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Type Confusion via crafted HTML content. This can be exploited to escape the v8 sandbox and execute arbitrary code on the operating system.
Remediation
Upgrade electron to version 31.7.1, 32.2.1 or higher.
References
critical severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Out-of-Bounds Write via the V8 engine. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.
Remediation
Upgrade electron to version 31.7.2 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.4.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Improper Access Control due to an inappropriate implementation in Extensions. An attacker can bypass site isolation.
Remediation
Upgrade electron to version 31.7.4, 32.2.3 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Out-of-bounds Read via a crafted HTML page. An attacker can access memory locations outside the intended boundary by crafting a malicious HTML page that triggers the flaw.
Remediation
Upgrade electron to version 31.7.2 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@33.4.6.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') in v8.
Remediation
Upgrade electron to version 33.4.6, 34.3.4 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter via a crafted HTML page. An attacker can perform an out of bounds memory write by sending a specially crafted HTML content.
Remediation
Upgrade electron to version 31.7.2 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Skia
Remediation
Upgrade electron to version 31.7.2 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Skia.
Remediation
Upgrade electron to version 31.7.2 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Skia.
Remediation
Upgrade electron to version 31.7.2 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@37.2.4.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Incorrect Calculation of Buffer Size via insufficient validation of untrusted input in ANGLE and GPU. An attacker can escape the sandbox by submitting a specially crafted HTML page.
Remediation
Upgrade electron to version 37.2.4 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.7.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Out-of-bounds Write via a crafted HTML page. An attacker can execute arbitrary code inside a sandbox by crafting a malicious HTML page.
Remediation
Upgrade electron to version 31.7.7 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@32.3.0.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Out-of-bounds Write through a crafted HTML page. An attacker can execute arbitrary code inside a sandbox by crafting malicious HTML content.
Remediation
Upgrade electron to version 32.3.0 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@32.3.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Out-of-bounds Write via a crafted HTML page. An attacker can potentially exploit heap corruption by sending a specially crafted HTML page to the victim.
Remediation
Upgrade electron to version 32.3.2, 33.4.2 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@32.3.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Out-of-bounds Write through crafted HTML pages. An attacker can exploit heap corruption by sending a specially crafted HTML page to the victim.
Remediation
Upgrade electron to version 32.3.2, 33.4.2 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@32.3.0.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Type Confusion in v8 engine.
Remediation
Upgrade electron to version 32.3.0 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@37.2.6.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Use After Free via MediaStreamTrackImpl. An attacker can cause heap corruption by enticing a user to visit a specially crafted HTML page.
Remediation
Upgrade electron to version 37.2.6 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Use After Free via the Dawn component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.
Remediation
Upgrade electron to version 31.7.2 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Use After Free via the WebAudio process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.
Remediation
Upgrade electron to version 31.7.2 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.5.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Use After Free via the Serial process. An attacker can potentially exploit heap corruption.
Remediation
Upgrade electron to version 31.7.5, 32.2.5 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.7.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Use After Free via the Compositing process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.
Remediation
Upgrade electron to version 31.7.7 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@33.4.3.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Use After Free through the V8 engine. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.
Remediation
Upgrade electron to version 33.4.3 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@32.3.3.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Use After Free through the V8 engine.
Remediation
Upgrade electron to version 32.3.3, 33.4.3 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@37.2.5.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via lack of support for escapes in PreParserIdentifier V8` process. An attacker can achieve heap corruption by enticing a user to visit a specially crafted HTML page.
Remediation
Upgrade electron to version 37.2.5 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.4.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Out-of-bounds Write in Dawn.
Remediation
Upgrade electron to version 31.7.4, 32.2.3 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.1.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Type Confusion in InferHasInPrototypeChain of the V8 engine.
Remediation
Upgrade electron to version 31.7.1, 32.2.1 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Type Confusion via the V8 engine.
Remediation
Upgrade electron to version 31.7.2 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@37.2.4.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Use After Free via improper handling of possible socket destruction in P2PSocketTcpBase. An attacker can achieve heap corruption and potentially execute arbitrary code by enticing a user to visit a specially crafted HTML page.
Remediation
Upgrade electron to version 37.2.4 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@36.3.0.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Function Call with Incorrectly Specified Arguments via an incorrect handle provided in unspecified circumstances in Mojo. An attacker can reflect a broker-initiated transport back to a broker, which ultimately allows for handle leaks if the reflected transport is later used to deserialize another transport containing handles.
Remediation
Upgrade electron to version 36.3.0 or higher.
References
high severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Out-of-bounds Read in Skia.
Remediation
Upgrade electron to version 31.7.2, 32.2.2 or higher.
References
medium severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.4.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via a crafted HTML page. An attacker can potentially exploit heap corruption.
Remediation
Upgrade electron to version 31.7.4, 32.2.3 or higher.
References
medium severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@32.2.3.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via a crafted HTML page. An attacker can potentially exploit heap corruption.
Remediation
Upgrade electron to version 32.2.3 or higher.
References
medium severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.5.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Access Restriction Bypass due to an inappropriate implementation in the Extensions feature. An attacker can bypass site isolation.
Remediation
Upgrade electron to version 31.7.5, 32.2.5, 33.2.1 or higher.
References
medium severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Fonts.
Remediation
Upgrade electron to version 31.7.2 or higher.
References
medium severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Heap-based Buffer Overflow through the V8 engine.
Remediation
Upgrade electron to version 31.7.2 or higher.
References
medium severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@32.3.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Heap-based Buffer Overflow in v8, when processing a very large number of parameters.
Remediation
Upgrade electron to version 32.3.2, 33.4.2 or higher.
References
medium severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@33.4.8.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization that allows an attacker who can convince a user to follow a malicious link to escape sandbox protections, due to a logic error in the Mojo component. This vulnerability does not enable code execution on its own, but is presumed chainable with another vulnerability to achieve code execution and has been observed in the wild.
Note: This vulnerability is only exploitable on Windows.
Remediation
Upgrade electron to version 33.4.8, 34.4.1, 35.1.2 or higher.
References
medium severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@37.2.4.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Integer Overflow or Wraparound via an incorrect count being passed to InstructionAccurateScope in the V8 engine. An attacker can cause heap corruption by enticing a user to visit a specially crafted HTML page.
Remediation
Upgrade electron to version 37.2.4 or higher.
References
medium severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@31.7.2.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Type Confusion. An attacker can access memory locations outside of the intended bounds by crafting a malicious HTML page that triggers type confusion in the V8 engine.
Remediation
Upgrade electron to version 31.7.2 or higher.
References
medium severity
- Vulnerable module: inflight
- Introduced through: bcrypt@5.1.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › bcrypt@5.1.1 › @mapbox/node-pre-gyp@1.0.11 › rimraf@3.0.2 › glob@7.2.3 › inflight@1.0.6
Overview
Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres function due to improperly deleting keys from the reqs object after execution of callbacks. This behavior causes the keys to remain in the reqs object, which leads to resource exhaustion.
Exploiting this vulnerability results in crashing the node process or in the application crash.
Note: This library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.
To trigger the memory leak, an attacker would need to have the ability to execute or influence the asynchronous operations that use the inflight module within the application. This typically requires access to the internal workings of the server or application, which is not commonly exposed to remote users. Therefore, “Attack vector” is marked as “Local”.
PoC
const inflight = require('inflight');
function testInflight() {
let i = 0;
function scheduleNext() {
let key = `key-${i++}`;
const callback = () => {
};
for (let j = 0; j < 1000000; j++) {
inflight(key, callback);
}
setImmediate(scheduleNext);
}
if (i % 100 === 0) {
console.log(process.memoryUsage());
}
scheduleNext();
}
testInflight();
Remediation
There is no fixed version for inflight.
References
medium severity
new
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@35.7.5.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Arbitrary Code Injection via modification of the resources folder when the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses are enabled. An attacker can execute unauthorized code by altering files within the application directory, bypassing ASAR integrity checks.
Note: This is only exploitable if the application is launched from a filesystem to which the attacker has write access.
Remediation
Upgrade electron to version 35.7.5, 36.8.1, 37.3.1, 38.0.0-beta.6 or higher.
References
medium severity
- Vulnerable module: electron
- Introduced through: electron@30.5.1
Detailed paths
-
Introduced through: ever-gauzy@ever-co/gauzy#7b5de60062877af22ba8e3871dc28921a6f1ec7f › electron@30.5.1Remediation: Upgrade to electron@36.3.0.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Information Exposure via the Loader component. An attacker can leak sensitive cross-origin data by crafting a malicious HTML page.
Remediation
Upgrade electron to version 36.3.0 or higher.