CVE-2024-27303

Name of the Vulnerable Software and Affected Versions electron-builder versions prior to 24.13.2

Description A vulnerability in electron-builder for Windows allows an attacker to execute a malicious file named cmd.exe if it is placed in the same folder as the installer. The NSIS installer makes a system call to open cmd.exe via NSExec in the .nsh installer script. NSExec searches the current directory before searching PATH, which enables the attack. This issue is fixed in version 24.13.2.

Recommendations For versions prior to 24.13.2, update to version 24.13.2 to resolve the issue. As a temporary workaround, consider avoiding the use of the NSIS installer until the update is applied. Restrict access to the installer folder to minimize the risk of exploitation. Avoid placing any executable files in the same folder as the installer.