CVE-2020-26272

Description

### Impact IPC messages sent from the main process to a subframe in the renderer process, through `webContents.sendToFrame`, `event.reply` or when using the `remote` module, can in some cases be delivered to the wrong frame. If your app does ANY of the following, then it is impacted by this issue: - Uses `remote` - Calls `webContents.sendToFrame` - Calls `event.reply` in an IPC message handler ### Patches This has been fixed in the following versions: - 9.4.0 - 10.2.0 - 11.1.0 - 12.0.0-beta.9 ### Workarounds There are no workarounds for this issue. ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).

How to fix CVE-2020-26272

To remediate CVE-2020-26272, upgrade the affected package to a fixed version below.

• —upgrade to 9.4.0 or later

Is CVE-2020-26272 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 9.4.0

CVSS scores

References (10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-26272
• WEBgithub.com/electron/electron/commit/07a1c2a3e5845901f7e2eda9506695be58edc73c
• WEBgithub.com/electron/electron/commit/0bbd268eb4caf35604443df5ff196980dd49e208
• WEBgithub.com/electron/electron/commit/36c695ce2a7e22c07fe1e30c61c00d20371daee2