Skip to content

🚨 [security] Update electron 19.0.1 → 27.1.3 (major)

Depfu Bot requested to merge depfu/update/yarn/electron-27.1.3 into main

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

️ electron (19.0.1 → 27.1.3) · Repo
Security Advisories 🚨

🚨 ASAR Integrity bypass via filetype confusion in electron

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 27.0.0-alpha.7
  • 26.2.1
  • 25.8.1
  • 24.8.3
  • 23.3.14
  • 22.3.24

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

🚨 ASAR Integrity bypass via filetype confusion in electron

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 27.0.0-alpha.7
  • 26.2.1
  • 25.8.1
  • 24.8.3
  • 23.3.14
  • 22.3.24

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

🚨 ASAR Integrity bypass via filetype confusion in electron

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 27.0.0-alpha.7
  • 26.2.1
  • 25.8.1
  • 24.8.3
  • 23.3.14
  • 22.3.24

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

🚨 ASAR Integrity bypass via filetype confusion in electron

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 27.0.0-alpha.7
  • 26.2.1
  • 25.8.1
  • 24.8.3
  • 23.3.14
  • 22.3.24

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

🚨 ASAR Integrity bypass via filetype confusion in electron

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 27.0.0-alpha.7
  • 26.2.1
  • 25.8.1
  • 24.8.3
  • 23.3.14
  • 22.3.24

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

🚨 Electron affected by libvpx's heap buffer overflow in vp8 encoding

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

🚨 Electron affected by libvpx's heap buffer overflow in vp8 encoding

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

🚨 Electron affected by libvpx's heap buffer overflow in vp8 encoding

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

🚨 Electron affected by libvpx's heap buffer overflow in vp8 encoding

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

🚨 libwebp: OOB write in BuildHuffmanTable

Heap buffer overflow in WebP allow a remote attacker to perform an out of bounds memory write via a crafted HTML page.

🚨 libwebp: OOB write in BuildHuffmanTable

Heap buffer overflow in WebP allow a remote attacker to perform an out of bounds memory write via a crafted HTML page.

🚨 libwebp: OOB write in BuildHuffmanTable

Heap buffer overflow in WebP allow a remote attacker to perform an out of bounds memory write via a crafted HTML page.

🚨 libwebp: OOB write in BuildHuffmanTable

Heap buffer overflow in WebP allow a remote attacker to perform an out of bounds memory write via a crafted HTML page.

🚨 Electron's Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled

Impact

A Content-Security-Policy that disables eval, specifically setting a script-src directive and not providing unsafe-eval in that directive, is not respected in renderers that have sandbox and contextIsolation disabled. i.e. sandbox: false and contextIsolation: false in the webPreferences object.

This resulted in incorrectly allowing usage of methods like eval() and new Function, which can result in an expanded attack surface.

Patches

This issue only ever affected the 22 and 23 major versions of Electron and has been fixed in the latest versions of those release lines. Specifically, these versions contain the fixes:

  • 22.0.1
  • 23.0.0-alpha.2

We recommend all apps upgrade to the latest stable version of Electron, especially if they use sandbox: false or contextIsolation: false.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by enabling at least one of sandbox: true or contextIsolation: true on all renderers.

const mainWindow = new BrowserWindow({
  webPreferences: {
    sandbox: true,
  }
});

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Credit

Thanks to user @andreasdj for reporting this issue.

🚨 Electron vulnerable to out-of-package code execution when launched with arbitrary cwd

Impact

Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help

Specifically this issue can only be exploited if the following conditions are met:

  • Your app is launched with an attacker-controlled working directory
  • The attacker has the ability to write files to that working directory

This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 26.0.0-beta.13
  • 25.5.0
  • 24.7.1
  • 23.3.13
  • 22.3.19

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

🚨 Electron vulnerable to out-of-package code execution when launched with arbitrary cwd

Impact

Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help

Specifically this issue can only be exploited if the following conditions are met:

  • Your app is launched with an attacker-controlled working directory
  • The attacker has the ability to write files to that working directory

This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 26.0.0-beta.13
  • 25.5.0
  • 24.7.1
  • 23.3.13
  • 22.3.19

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

🚨 Electron vulnerable to out-of-package code execution when launched with arbitrary cwd

Impact

Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help

Specifically this issue can only be exploited if the following conditions are met:

  • Your app is launched with an attacker-controlled working directory
  • The attacker has the ability to write files to that working directory

This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 26.0.0-beta.13
  • 25.5.0
  • 24.7.1
  • 23.3.13
  • 22.3.19

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

🚨 Electron vulnerable to out-of-package code execution when launched with arbitrary cwd

Impact

Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help

Specifically this issue can only be exploited if the following conditions are met:

  • Your app is launched with an attacker-controlled working directory
  • The attacker has the ability to write files to that working directory

This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 26.0.0-beta.13
  • 25.5.0
  • 24.7.1
  • 23.3.13
  • 22.3.19

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

🚨 Electron vulnerable to out-of-package code execution when launched with arbitrary cwd

Impact

Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help

Specifically this issue can only be exploited if the following conditions are met:

  • Your app is launched with an attacker-controlled working directory
  • The attacker has the ability to write files to that working directory

This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 26.0.0-beta.13
  • 25.5.0
  • 24.7.1
  • 23.3.13
  • 22.3.19

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

🚨 Electron context isolation bypass via nested unserializable return value

Impact

Apps using contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

This issue is exploitable under either of two conditions:

  • If an API exposed to the main world via contextBridge can return an object or array that contains a JS object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown Error: object could not be cloned.
  • If an API exposed to the main world via contextBridge has a return value that throws a user-generated exception while being sent over the bridge, for instance a dynamic getter property on an object that throws an error when being computed.

The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.

Auditing your exposed API is likely to be quite difficult so we strongly recommend you update to a patched version of Electron.

Fixed Versions

  • 25.0.0-alpha.2
  • 24.0.1
  • 23.2.3
  • 22.3.6

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

🚨 Electron context isolation bypass via nested unserializable return value

Impact

Apps using contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

This issue is exploitable under either of two conditions:

  • If an API exposed to the main world via contextBridge can return an object or array that contains a JS object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown Error: object could not be cloned.
  • If an API exposed to the main world via contextBridge has a return value that throws a user-generated exception while being sent over the bridge, for instance a dynamic getter property on an object that throws an error when being computed.

The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.

Auditing your exposed API is likely to be quite difficult so we strongly recommend you update to a patched version of Electron.

Fixed Versions

  • 25.0.0-alpha.2
  • 24.0.1
  • 23.2.3
  • 22.3.6

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

🚨 Electron context isolation bypass via nested unserializable return value

Impact

Apps using contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

This issue is exploitable under either of two conditions:

  • If an API exposed to the main world via contextBridge can return an object or array that contains a JS object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown Error: object could not be cloned.
  • If an API exposed to the main world via contextBridge has a return value that throws a user-generated exception while being sent over the bridge, for instance a dynamic getter property on an object that throws an error when being computed.

The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.

Auditing your exposed API is likely to be quite difficult so we strongly recommend you update to a patched version of Electron.

Fixed Versions

  • 25.0.0-alpha.2
  • 24.0.1
  • 23.2.3
  • 22.3.6

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

🚨 Electron context isolation bypass via nested unserializable return value

Impact

Apps using contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

This issue is exploitable under either of two conditions:

  • If an API exposed to the main world via contextBridge can return an object or array that contains a JS object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown Error: object could not be cloned.
  • If an API exposed to the main world via contextBridge has a return value that throws a user-generated exception while being sent over the bridge, for instance a dynamic getter property on an object that throws an error when being computed.

The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.

Auditing your exposed API is likely to be quite difficult so we strongly recommend you update to a patched version of Electron.

Fixed Versions

  • 25.0.0-alpha.2
  • 24.0.1
  • 23.2.3
  • 22.3.6

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

🚨 Electron's Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled

Impact

A Content-Security-Policy that disables eval, specifically setting a script-src directive and not providing unsafe-eval in that directive, is not respected in renderers that have sandbox and contextIsolation disabled. i.e. sandbox: false and contextIsolation: false in the webPreferences object.

This resulted in incorrectly allowing usage of methods like eval() and new Function, which can result in an expanded attack surface.

Patches

This issue only ever affected the 22 and 23 major versions of Electron and has been fixed in the latest versions of those release lines. Specifically, these versions contain the fixes:

  • 22.0.1
  • 23.0.0-alpha.2

We recommend all apps upgrade to the latest stable version of Electron, especially if they use sandbox: false or contextIsolation: false.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by enabling at least one of sandbox: true or contextIsolation: true on all renderers.

const mainWindow = new BrowserWindow({
  webPreferences: {
    sandbox: true,
  }
});

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Credit

Thanks to user @andreasdj for reporting this issue.

🚨 Heap buffer overflow in GPU

Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

🚨 Exfiltration of hashed SMB credentials on Windows via file:// redirect

Impact

When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.

Patches

This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:

  • 21.0.0-beta.1
  • 20.0.1
  • 19.0.11
  • 18.3.7

We recommend all apps upgrade to the latest stable version of Electron.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents:

app.on('web-contents-created', (e, webContents) => {
  webContents.on('will-redirect', (e, url) => {
    if (/^file:/.test(url)) e.preventDefault()
  })
})

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Credit

Thanks to user @coolcoolnoworries for reporting this issue.

🚨 Exfiltration of hashed SMB credentials on Windows via file:// redirect

Impact

When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.

Patches

This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:

  • 21.0.0-beta.1
  • 20.0.1
  • 19.0.11
  • 18.3.7

We recommend all apps upgrade to the latest stable version of Electron.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents:

app.on('web-contents-created', (e, webContents) => {
  webContents.on('will-redirect', (e, url) => {
    if (/^file:/.test(url)) e.preventDefault()
  })
})

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Credit

Thanks to user @coolcoolnoworries for reporting this issue.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 9 commits:

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

Merge request reports