CVE-2022-29247

Name of the Vulnerable Software and Affected Versions Electron versions prior to 18.0.0-beta.6 Electron versions prior to 17.2.0 Electron versions prior to 16.2.6 Electron versions prior to 15.5.5

Description The issue is related to the nodeIntegrationInSubFrames parameter in Electron, which can lead to information disclosure. A renderer with JavaScript execution can obtain access to a new renderer process with nodeIntegrationInSubFrames enabled, allowing effective access to ipcRenderer. This access can compromise the application or user if the application exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data.

Recommendations For versions prior to 18.0.0-beta.6, update to version 18.0.0-beta.6 or later. For versions prior to 17.2.0, update to version 17.2.0 or later. For versions prior to 16.2.6, update to version 16.2.6 or later. For versions prior to 15.5.5, update to version 15.5.5 or later. As a temporary workaround, ensure that all IPC message handlers appropriately validate senderFrame.