CVE-2018-1000136
Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration
Description
A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it. For the application to be impacted by this vulnerability it must meet all of these conditions - Runs on Electron 1.7, 1.8, or a 2.0.0-beta - Allows execution of arbitrary remote code - Disables Node.js integration - Does not explicitly declare webviewTag: false in its webPreferences - Does not enable the nativeWindowOption option - Does not intercept new-window events and manually override event.newGuest without using the supplied options tag ## Recommendation Update to `electron` version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later. If you are unable to update your Electron version can mitigate the vulnerability with the following code. ```js app.on('web-contents-created', (event, win) => { win.on('new-window', (event, newURL, frameName, disposition, options, additionalFeatures) => { if (!options.webPreferences) options.webPreferences = {}; options.webPreferences.nodeIntegration = false; options.webPreferences.nodeIntegrationInWorker = false; options.webPreferences.webviewTag = false; delete options.webPreferences.preload; }) }) // and *IF* you don't use WebViews at all, // you might also want app.on('web-contents-created', (event, win) => { win.on('will-attach-webview', (event, webPreferences, params) => { event.preventDefault(); }) }) ```
How to fix CVE-2018-1000136
To remediate CVE-2018-1000136, upgrade the affected package to a fixed version below.
- —upgrade to 1.7.13 or later
Is CVE-2018-1000136 being exploited?
Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.7.0, < 1.7.13