Andreasdj

**Name of the Vulnerable Software and Affected Versions** Electron versions 22 through 23 **Description** A Content-Security-Policy that disables eval is not respected in renderers with sandbox disabled, allowing methods like `eval()` and `new Function` to be used unexpectedly, which can result in an expanded attack surface. This issue is related to the `script-src` directive not including `unsafe-eval`. The affected renderers have `sandbox: false` in the `webPreferences` object. **Recommendations** For Electron version 22, upgrade to version 22.0.1. For Electron version 23, upgrade to version 23.0.0-alpha.2. If upgrading is not possible, enable `sandbox: true` on all renderers as a temporary workaround. Alternatively, enabling `contextIsolation: true` on all renderers can also address the issue.