Skip to content

Context isolation bypass via contextBridge

Moderate
MarshallOfSound published GHSA-h9jc-284h-533g Jul 6, 2020

Package

npm electron (npm)

Affected versions

>=9.0.0-beta.0 <=9.0.0-beta.20 || >=8.0.0-beta.0 <=8.2.3 || >= 7.0.0-beta < =7.2.3 || <7

Patched versions

7.2.4,8.2.4,9.0.0-beta.21

Description

Impact

Apps using both contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2020-4077

Weaknesses

No CWEs