HIGH🇵🇱 Wersja polska

CVE-2017-12581

CVSS 8.1v3.0pub. 2017-08-06upd. 2026-05-13

GitHub Electron before 1.6.8 allows remote command execution because of a nodeIntegration bypass vulnerability. This also affects all applications that bundle Electron code equivalent to 1.6.8 or earlier. Bypassing the Same Origin Policy (SOP) is a precondition; however, recent Electron versions do not have strict SOP enforcement. Combining an SOP bypass with a privileged URL internally used by Electron, it was possible to execute native Node.js primitives in order to run OS commands on the user's host. Specifically, a chrome-devtools://devtools/bundled/inspector.html window could be used to eval a Node.js child_process.execFile API call.

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Electron

    APP
    Electron
    ≤ 1.6.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2024-39698HIGH7.5ten sam vendor

electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windo...

CVE-2024-27303HIGH7.3ten sam vendor

electron-builder is a solution to package and build a ready for distribution Electron, Proton Native app for m...