CVE-2023-29198

Name of the Vulnerable Software and Affected Versions Electron versions prior to 22.3.6 Electron versions prior to 23.2.3 Electron versions prior to 24.0.1 Electron versions prior to 25.0.0-alpha.2

Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML, and CSS. Electron apps using contextIsolation and contextBridge are affected by a context isolation bypass issue. This means that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. The issue is only exploitable if an API exposed to the main world via contextBridge can return an object or array that contains a JavaScript object which cannot be serialized, such as a canvas rendering context. This would normally result in an exception being thrown Error: object could not be cloned.

Recommendations For versions prior to 22.3.6, update to version 22.3.6 or later. For versions prior to 23.2.3, update to version 23.2.3 or later. For versions prior to 24.0.1, update to version 24.0.1 or later. For versions prior to 25.0.0-alpha.2, update to version 25.0.0-alpha.2 or later. As a temporary workaround, ensure that all values returned from a function exposed over the contextBridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.