Improper Access Control Affecting electron package, versions <23.2.3 >=24.0.0-alpha.1 <25.0.0-alpha.2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-ELECTRON-5885098
- published 7 Sep 2023
- disclosed 6 Sep 2023
- credit MarshallOfSound
Introduced: 6 Sep 2023
CVE-2023-29198 Open this link in a new tabHow to fix?
Upgrade electron to version 23.2.3, 25.0.0-alpha.2 or higher.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Improper Access Control via nested unserializable return value when using contextIsolation and contextBridge are affected.
Exploiting this vulnerability allows code running in the main world context in the renderer to reach into the isolated Electron context and perform privileged actions.
Note
This issue is exploitable under either of two conditions:
If an API exposed to the main world via
contextBridgecan return an object or array that contains a JS object that cannot be serialized, such as a canvas rendering context. This would normally result in anError: object could not be clonedexception being thrown.If an API exposed to the main world via
contextBridgehas a return value that throws a user-generated exception while being sent over the bridge, such as a dynamic getter property on an object that throws an error when being computed.
Workaround
The app-side workaround is to ensure that such a case, as mentioned in the workaround section, is not possible.
Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.
Auditing your exposed API is likely to be quite difficult, so we strongly recommend you update to a patched version of Electron.