Eb-Bsi

**Name of the Vulnerable Software and Affected Versions** electron-updater versions prior to 6.3.0-alpha.6 **Description** The issue concerns the signature validation routine for Electron applications on Windows, implemented in the file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts`. Due to the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in the command-line above, creating a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest, such as a server compromise, Man-in-the-Middle attack if fetched over HTTP, or Cross-Site Scripting to point the application to a malicious updater server. **Recommendations** For versions prior to 6.3.0-alpha.6, update to version 6.3.0-alpha.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `verifySignature()` function or the `windowsExecutableCodeSignatureVerifier.ts` file until a patch is applied. Avoid using environment variables in command-line arguments to minimize the risk of exploitation.