CVE-2017-12581

Name of the Vulnerable Software and Affected Versions Electron versions prior to 1.6.8

Description The issue allows remote command execution due to a nodeIntegration bypass vulnerability. This vulnerability affects not only Electron but also all applications that bundle Electron code equivalent to 1.6.8 or earlier. Bypassing the Same Origin Policy (SOP) is necessary to exploit this issue, and recent Electron versions do not enforce SOP strictly. By combining an SOP bypass with a privileged URL internally used by Electron, an attacker can execute native Node.js primitives to run OS commands on the user's host. Specifically, a chrome-devtools://devtools/bundled/inspector.html window can be used to eval a Node.js child process.execFile API call.

Recommendations For versions prior to 1.6.8, update to version 1.6.8 or later to resolve the issue. As a temporary workaround, consider restricting access to privileged URLs internally used by Electron, such as chrome-devtools://devtools/bundled/inspector.html, to minimize the risk of exploitation. Additionally, avoid using the child process.execFile API call in affected applications until the issue is resolved.