SSL Validation disabled by default Affecting electron-packager package, versions >=5.2.1 <7.0.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:electron-packager:20160422
- published 17 May 2016
- disclosed 22 Apr 2016
- credit Mark Lee
Introduced: 22 Apr 2016
CVE-2016-10534 Open this link in a new tabHow to fix?
Upgrade electron-packager to version 7.0.0 or higher.
If a direct dependency update is not possible, use snyk wizard to patch this vulnerability.
Delete the electron-download cache folder, by default named .electron, located in your home folder.
Overview
electron-packager is a command line tool that lets you package and distribute your Electron app with OS-specific bundles (.app, .exe etc) via JS or CLI.
Versions 5.2.1-6.0.2 have the --strict-ssl command line option default to false (causing strict-ssl to not be enabled). This could allow an attacker to execute a SSL Man In The Middle attack and deliver a malicious electron version that also gets cached in ~/.electron folder.