Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API
Moderate severity
GitHub Reviewed
Published
Oct 12, 2021
in
electron/electron
•
Updated Jan 30, 2023
Package
Affected versions
< 11.5.0
>= 12.0.0, < 12.1.0
>= 13.0.0, < 13.3.0
Patched versions
11.5.0
12.1.0
13.3.0
Description
Reviewed
Oct 12, 2021
Published by the National Vulnerability Database
Oct 12, 2021
Published to the GitHub Advisory Database
Oct 12, 2021
Last updated
Jan 30, 2023
Impact
This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.
All current stable versions of Electron are affected.
Patches
This was fixed with #30728, and the following Electron versions contain the fix:
Workarounds
If your app enables
contextIsolation
, this vulnerability is significantly more difficult for an attacker to exploit.Further, if your app does not depend on the
createThumbnailFromPath
API, then you can simply disable the functionality. In the main process, before the 'ready' event:For more information
If you have any questions or comments about this advisory, email us at [email protected].
References