CVE-2018-1000136

HIGH8.1EPSS 1.4%

Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration

Published: 3/26/2018Modified: 11/8/2023

Description

A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it. For the application to be impacted by this vulnerability it must meet all of these conditions - Runs on Electron 1.7, 1.8, or a 2.0.0-beta - Allows execution of arbitrary remote code - Disables Node.js integration - Does not explicitly declare webviewTag: false in its webPreferences - Does not enable the nativeWindowOption option - Does not intercept new-window events and manually override event.newGuest without using the supplied options tag ## Recommendation Update to `electron` version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later. If you are unable to update your Electron version can mitigate the vulnerability with the following code. ```js app.on('web-contents-created', (event, win) => { win.on('new-window', (event, newURL, frameName, disposition, options, additionalFeatures) => { if (!options.webPreferences) options.webPreferences = {}; options.webPreferences.nodeIntegration = false; options.webPreferences.nodeIntegrationInWorker = false; options.webPreferences.webviewTag = false; delete options.webPreferences.preload; }) }) // and *IF* you don't use WebViews at all, // you might also want app.on('web-contents-created', (event, win) => { win.on('will-attach-webview', (event, webPreferences, params) => { event.preventDefault(); }) }) ```

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1HIGH8.1CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (10)