Electron Denial-of-Service Vulnerability in Clipboard Image Handling
Vulnerability
A denial-of-service vulnerability has been identified in Electron applications that use the clipboard.readImage() function. This issue affects Electron versions prior to 39.8.5, as well as versions 40.0.0-alpha.1 through 40.8.5, 41.0.0-alpha.1 through 41.1.0, and 42.0.0-alpha.1 through 42.0.0-alpha.5. The vulnerability arises when the clipboard contains malformed image data that fails to decode properly. The resulting null bitmap is passed unchecked to image construction, causing a controlled abort that crashes the application process. Only apps that read images from the clipboard are affected, and this vulnerability does not lead to memory corruption or code execution.
Impact
Exploiting this vulnerability causes the application to crash, but it does not allow for memory corruption or code execution.
Remediation
To address this vulnerability, users should upgrade to Electron versions 39.8.5, 40.8.5, 41.1.0, or 42.0.0-alpha.5. As an additional precaution, applications can validate the clipboard image data using clipboard.availableFormats() before calling clipboard.readImage().
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.