Uninitialized Memory Exposure Affecting electron package, versions <1.6.1
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:electron:20160903
- published 9 Oct 2017
- disclosed 2 Sep 2016
- credit Unknown
How to fix?
Upgrade electron to version 1.6.1 or higher.
Note This is vulnerable only for Node <=4
Overview
electron is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. It takes care of the hard parts so you can focus on the core of your application.
Affected versions of the package are vulnerable to Uninitialized Memory Exposure. The Buffer class in Node.js is available as global, even if the nodeintegration attribute is not added. This could result in concatenation of uninitialized memory to the buffer collection.
This is a result of unobstructed use of the Buffer constructor, whose insecure default constructor increases the odds of memory leakage.