CVE-2018-1000006
Remote Code Execution in electron
Description
Affected versions of `electron` may be susceptible to a remote code execution flaw when certain conditions are met: 1. The electron application is running on Windows. 2. The electron application registers as the default handler for a protocol, such as `nodeapp://`. This vulnerability is caused by a failure to sanitize additional arguments to chromium in the command line handler for Electron. MacOS and Linux are not vulnerable. ## Recommendation Update electron to a version that is not vulnerable. If updating is not possible, the electron team has provided the following guidance: If for some reason you are unable to upgrade your Electron version, you can append `--` as the last argument when calling `app.setAsDefaultProtocolClient`, which prevents Chromium from parsing further options. The double dash `--` signifies the end of command options, after which only positional parameters are accepted. ``` app.setAsDefaultProtocolClient(protocol, process.execPath, [ '--your-switches-here', '--' ]) ```
How to fix CVE-2018-1000006
To remediate CVE-2018-1000006, upgrade the affected package to a fixed version below.
- —upgrade to 1.7.11 or later
Is CVE-2018-1000006 being exploited?
Likely — EPSS is 92.3%, placing CVE-2018-1000006 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- >= 1.7.0, < 1.7.11
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |