Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 6.6 npm

AutoUpdater module fails to validate certain nested components of the bundle

GHSA-77xc-hjv8-ww97 · CVE-2022-29257

Published · Modified

Description

Impact

This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.

Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.0
  • 15.5.0

Workarounds

There are no workarounds for this issue, please update to a patched version of Electron.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes