Update Electron Apps to Fix Content-Security-Policy Bypass

CVSScvssV3_1: 7.5

Electron is a popular open source framework for building desktop apps using web technologies like JavaScript, HTML, and CSS. A recent security issue was discovered that allows bypassing Content-Security-Policy restrictions in Electron apps.

The vulnerability lies in how Electron handles Content-Security-Policy directives in app renderers when “sandbox” mode is disabled. By default, CSP is meant to prevent execution of unsafe JavaScript code by blocking things like eval() and new Function(). However, in Electron versions 22.0.0 and below as well as 23.0.0-alpha.1, CSP directives are not properly enforced when sandboxing is turned off.

This could allow attackers to execute arbitrary code within an Electron app context by bypassing the intended restrictions of CSP. They may then be able to access sensitive data or system resources the app has access to.

The good news is that this issue has been addressed in Electron versions 22.0.1 and 23.0.0-alpha.2. All Electron developers are recommended to upgrade to the latest stable release as soon as possible to protect their users. Alternatively, enabling “sandbox” mode in all app renderers provides mitigation without needing an upgrade.

By taking one of these steps, Electron apps can close this security loophole and ensure Content-Security-Policy is properly enforced to prevent malicious JavaScript from running unexpectedly.