Skip to content

Arbitrary file read via window-open IPC in Electron

Moderate severity GitHub Reviewed Published Jul 6, 2020 in electron/electron • Updated Jan 9, 2023

Package

npm electron (npm)

Affected versions

>= 8.0.0, < 8.2.4
< 7.2.4

Patched versions

8.2.4
7.2.4

Description

Impact

The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.

Workarounds

Ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4

For more information

If you have any questions or comments about this advisory:

References

@MarshallOfSound MarshallOfSound published to electron/electron Jul 6, 2020
Reviewed Jul 6, 2020
Published to the GitHub Advisory Database Jul 7, 2020
Last updated Jan 9, 2023

Severity

Moderate
6.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2020-4075

GHSA ID

GHSA-f9mq-jph6-9mhm

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.