Primary

Context

Jan Electron Desktop Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in Jan Electron Desktop versions through 0.5.14. The issue arises when a user clicks on a rendered link within the application, which opens an external website. The vulnerability is due to the exposure of the electronAPI and the lack of URL filtering when using the shell.openExternal() function. This allows the opened website to execute arbitrary code in the context of the application.

Impact

Exploitation of this vulnerability allows for remote code execution on the user's machine.

Reproduction

To reproduce this vulnerability, click on a rendered link in the conversation. This will open the link in the current application window, where the external website can access the exposed electronAPI. The website can then execute code that, for example, opens a local application like Calculator.

Remediation

Users can update to Jan version 0.5.15 or later, where this vulnerability has been patched.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jan Electron Desktop Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating