Summary
In development mode, the main window loads process.env['ELECTRON_RENDERER_URL'] via loadURL without asserting the URL is local-only.
Details
Packaged builds use loadFile so this is not a production vulnerability. However, in a compromised development environment a malicious environment variable could load an untrusted renderer that receives the full preload API.
File: src/main/window.ts
Recommended fix
Assert the URL starts with http://localhost or http://127.0.0.1 before calling loadURL. Fail closed if non-local or invalid. Keep the existing !app.isPackaged guard in place.
Source
Security audit v0.9.0 (Codex) — L-02.
Summary
In development mode, the main window loads
process.env['ELECTRON_RENDERER_URL']vialoadURLwithout asserting the URL is local-only.Details
Packaged builds use
loadFileso this is not a production vulnerability. However, in a compromised development environment a malicious environment variable could load an untrusted renderer that receives the full preload API.File:
src/main/window.tsRecommended fix
Assert the URL starts with
http://localhostorhttp://127.0.0.1before callingloadURL. Fail closed if non-local or invalid. Keep the existing!app.isPackagedguard in place.Source
Security audit v0.9.0 (Codex) — L-02.