Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration

GHSA-8xwg-wv7v-4vqp · CVE-2018-1000136

Published Mar 26, 2018 · Modified Nov 8, 2023

Description

A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it.

For the application to be impacted by this vulnerability it must meet all of these conditions

Runs on Electron 1.7, 1.8, or a 2.0.0-beta
Allows execution of arbitrary remote code
Disables Node.js integration
Does not explicitly declare webviewTag: false in its webPreferences
Does not enable the nativeWindowOption option
Does not intercept new-window events and manually override event.newGuest without using the supplied options tag

Recommendation

Update to electron version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later.

If you are unable to update your Electron version can mitigate the vulnerability with the following code.

app.on('web-contents-created', (event, win) => {
  win.on('new-window', (event, newURL, frameName, disposition,
                        options, additionalFeatures) => {
    if (!options.webPreferences) options.webPreferences = {};
    options.webPreferences.nodeIntegration = false;
    options.webPreferences.nodeIntegrationInWorker = false;
    options.webPreferences.webviewTag = false;
    delete options.webPreferences.preload;
  })
})

// and *IF* you don't use WebViews at all,
// you might also want
app.on('web-contents-created', (event, win) => {
  win.on('will-attach-webview', (event, webPreferences, params) => {
    event.preventDefault();
  })
})

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes