CVE-2024-39698

Name of the Vulnerable Software and Affected Versions electron-updater versions prior to 6.3.0-alpha.6

Description The issue concerns the signature validation routine for Electron applications on Windows, implemented in the file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts. Due to the surrounding shell, a first pass by cmd.exe expands any environment variable found in the command-line above, creating a situation where verifySignature() can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest, such as a server compromise, Man-in-the-Middle attack if fetched over HTTP, or Cross-Site Scripting to point the application to a malicious updater server.

Recommendations For versions prior to 6.3.0-alpha.6, update to version 6.3.0-alpha.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the verifySignature() function or the windowsExecutableCodeSignatureVerifier.ts file until a patch is applied. Avoid using environment variables in command-line arguments to minimize the risk of exploitation.