<p>Upgrade <code>electron</code> to version 5.0.0-beta.1 or higher.</p>

Arbitrary Code Execution Affecting electron package, versions <5.0.0-beta.1

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-ELECTRON-483056
published 11 Nov 2019
disclosed 7 Jan 2019
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 7 Jan 2019

CWE-453 Open this link in a new tab

How to fix?

Upgrade electron to version 5.0.0-beta.1 or higher.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Arbitrary Code Execution due to Node being enabled in a webview because the default values of nodeIntegration and webviewTag were set to true when they where undefined by a user. The fix allows users to prevent Node and webview being enabled, when undefined, by setting the default values of nodeIntegration and webviewTag to false.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

Low
Integrity (I)

Low
Availability (A)

Low

Arbitrary Code Execution Affecting electron package, versions <5.0.0-beta.1

Severity

CVSS assessment made by Snyk's Security Team

Introduced: 7 Jan 2019

How to fix?

Overview

References

CVSS Scores

Snyk