Electron Renderer Command-Line Switch Injection Vulnerability
Vulnerability
A vulnerability in Electron prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8 allows for arbitrary command-line switches to be injected into the renderer process. This issue arises from an undocumented 'commandLineSwitches' webPreference that could be exploited by apps spreading untrusted configuration objects, potentially disabling important security features like renderer sandboxing or web security controls. The vulnerability affects applications that derive webPreferences from external or untrusted sources without a proper allowlist, while those using a fixed webPreferences object remain safe.
Impact
Exploitation of this vulnerability could lead to the injection of command-line switches that disable renderer sandboxing or web security controls, thereby introducing significant security risks.
Remediation
To address this vulnerability, Electron applications should avoid spreading untrusted input into webPreferences. Instead, an explicit allowlist of permitted preference keys should be used when creating BrowserWindow or webContents options from external configurations.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.