CVE-2023-23623

Name of the Vulnerable Software and Affected Versions Electron versions 22 through 23

Description A Content-Security-Policy that disables eval is not respected in renderers with sandbox disabled, allowing methods like eval() and new Function to be used unexpectedly, which can result in an expanded attack surface. This issue is related to the script-src directive not including unsafe-eval. The affected renderers have sandbox: false in the webPreferences object.

Recommendations For Electron version 22, upgrade to version 22.0.1. For Electron version 23, upgrade to version 23.0.0-alpha.2. If upgrading is not possible, enable sandbox: true on all renderers as a temporary workaround. Alternatively, enabling contextIsolation: true on all renderers can also address the issue.