CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
38.7%
Electron is vulnerable to Improper Check For Unusual Or Exceptional Conditions. The vulnerability is caused by not implementing error handling correctly in case of an API exposed to the main world via contextBridge
returning an object or array that contains a JS object which cannot be serialized (e.g: a canvas rendering context) or an API returning a value that throws a user-generated exception while being sent over the bridge (e.g: a dynamic getter property on an object). This leads to a context isolation bypass meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.