Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zNGgzLThtdzQtcXc1N84AA6d1
@electron/packager's build process memory potentially leaked into final executable
Impact
A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory could contain sensitive information such as environment variables, secrets files, etc.
Patches
This issue is patched in 18.3.1
Workarounds
No workarounds, please update to a patched version of @electron/packager immediately if impacated.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNGgzLThtdzQtcXc1N84AA6d1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-34h3-8mw4-qw57, CVE-2024-29900
References:
- https://github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57
- https://nvd.nist.gov/vuln/detail/CVE-2024-29900
- https://github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee
- https://github.com/advisories/GHSA-34h3-8mw4-qw57
Blast Radius: 14.5
Affected Packages
npm:@electron/packager
Dependent packages: 3Dependent repositories: 86
Downloads: 203,824 last month
Affected Version Ranges: = 18.3.0
Fixed in: 18.3.1
All affected versions: 18.3.0
All unaffected versions: 0.0.0, 18.0.0, 18.1.0, 18.1.1, 18.1.2, 18.1.3, 18.2.0, 18.3.1, 18.3.2