CVE-2016-10534

Name of the Vulnerable Software and Affected Versions electron-packager versions 5.2.1 through 6.0.2

Description The issue allows an attacker to perform a man-in-the-middle attack due to the --strict-ssl command line option defaulting to false if not explicitly set to true. This could enable an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one. The issue only affects users using the electron-packager CLI, as the strict-ssl option defaults to true for the node.js API.

Recommendations Update to version 7.0.0 or later. Delete the electron-download cache folder, which is by default located at ~/.electron.