This article is more than 1 year old

Have you updated your Electron app? We hope so. There was a bad code-injection bug in it

Infosec bods remind devs, users to check for patches

Electron – the widely used desktop application framework that renders top programs such as Slack, Atom, and Visual Studio Code – suffered from a security vulnerability that potentially allows miscreants to execute evil code on victims' computers.

That means applications relying on Electron may need updating. If you use an Electron-based program – there's a list here – you should follow best practices and make sure you're running the latest release of the software. And app developers should ensure their software is patched, or at least not vulnerable, and available to download.

The programming blunder was highlighted and described in detail this month by TrustWave's Brendan Scarvell. In short: the bug, CVE-2018-1000136, can be exploited to import arbitrary code into the application via Node.js.

An app developer only needed to be a little careless, and accept the default settings, and their application would be vulnerable. The issue was fixed in late March by the Electron team.

Scarvell noted that the framework is used by “Slack, Discord, Signal, Atom, Visual Studio Code, and Github Desktop,” among others, although the Signal team told us that Signal for Desktop was not affected by the above flaw. Similarly, other apps may not be vulnerable.

Scarvell set out the conditions for an app to be at risk: it's built on Electron version < 1.7.13, < 1.8.4, or < 2.0.0-beta.3, and the developer hasn't manually opted one of the following:

  • ”Declared webviewTag: false in its webPreferences;
  • ”Enabled the nativeWindowOption option in its webPreferences; or
  • ”Intercepting new-window events and overriding event.newGuest without using the supplied options tag.”

So, what's going on here? Setting nodeIntegration: false in an app's webPreferences is supposed to prevent the software using Electron's APIs from gaining access to Node.js – and that's switched off by default.

The nodeIntegration: false setting also saves the developer the effort of sanitising user inputs which, if they were handled by Node.js, would enable cross-site-scripting attacks.

As Scarvell explained, the vulnerability he found allowed an attacker to change the nodeIntegration setting to “true”.

The issue is in the handling of another tag, WebView, which allows a developer to “embed content, such as web pages, into your Electron application and run it as a separate process,” in combination with how Electron handles new browser windows.

An attacker, he wrote, could control the new browser window (the command) to pass a WebView tag that enabled nodeIntegration (that is, set it to “true”).

Electron provided a patch to CVE-2018-1000136 in versions 1.7.13, 1.8.4, 2.0.0-beta.4 here, along with mitigation instructions if, for some reason, a developer can't upgrade. ®

More about

More about

More about


Send us news

Other stories you might like