Electron Node Integration in Worker Web Preference Misconfiguration Vulnerability

A vulnerability exists in Electron versions prior to 38.8.6, between 39.0.0-alpha.1 and 39.8.4, between 40.0.0-alpha.1 and 40.8.4, and between 41.0.0-alpha.1 and 41.0.0. The issue arises because the nodeIntegrationInWorker web preference was not properly scoped in all configurations. In certain process-sharing scenarios, workers in frames with nodeIntegrationInWorker set to false could still receive Node.js integration. This vulnerability only affects applications that enable nodeIntegrationInWorker.

Impact

This vulnerability allows for unintended Node.js integration in web workers, which could be exploited to execute malicious Node.js code in the context of the worker.

Remediation

To address this vulnerability, update Electron to version 38.8.6, 39.8.4, 40.8.4, or 41.0.0. If you have any questions or comments about this advisory, email security@electronjs.org.