electron-updater@3.2.3 vulnerabilities

Cross platform updater for electron applications

Direct Vulnerabilities

Known vulnerabilities in the electron-updater package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Signature Validation Bypass

electron-updater is a module allowing applications to implement auto-update functionality.

Affected versions of this package are vulnerable to Signature Validation Bypass. The signature verification check is based on a string comparison between the installed binary’s publisherName and the certificate’s Common Name attribute of the update binary. During a software update, the application will request a file named latest.yml from the update server, which contains the definition of the new release - including the binary filename and hashes.

Using a filename containing a backtick (`), among other symbols and a matching hash, an attacker could bypass the entire signature verification by triggering a parse error in the script.

This can be leveraged to force a malicious update on Windows clients, effectively gaining code execution and persistence capabilities.

Exploitation of this vulnerability requires the attacker to also have control over the update server, or alternatively a man-in-the-middle.

A partial fix has been made available, blacklisting a small set of characters, but there are additional characters that can be used to exploit this vulnerability.

How to fix Signature Validation Bypass?

Upgrade electron-updater to version 4.3.1 or higher.

<4.3.1
  • M
Signature Validation Bypass

electron-updater is a module allowing applications to implement auto-update functionality.

Affected versions of this package are vulnerable to Signature Validation Bypass. The signature verification check is based on a string comparison between the installed binary’s publisherName and the certificate’s Common Name attribute of the update binary. During a software update, the application will request a file named latest.yml from the update server, which contains the definition of the new release - including the binary filename and hashes.

Using a filename containing a single quote and a matching hash, an attacker could bypass the entire signature verification by triggering a parse error in the script.

This can be leveraged to force a malicious update on Windows clients, effectively gaining code execution and persistence capabilities.

Exploitation of this vulnerability requires the attacker to also have control over the update server, or alternatively a man-in-the-middle.

How to fix Signature Validation Bypass?

Upgrade electron-updater to version 4.2.2 or higher.

<4.2.2