CVE-2018-1000136: Input Validation
First published: Fri Mar 23 2018(Updated: )
A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it. For the application to be impacted by this vulnerability it must meet all of these conditions - Runs on Electron 1.7, 1.8, or a 2.0.0-beta - Allows execution of arbitrary remote code - Disables Node.js integration - Does not explicitly declare webviewTag: false in its webPreferences - Does not enable the nativeWindowOption option - Does not intercept new-window events and manually override event.newGuest without using the supplied options tag ## Recommendation Update to `electron` version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later. If you are unable to update your Electron version can mitigate the vulnerability with the following code. ```js app.on('web-contents-created', (event, win) => { win.on('new-window', (event, newURL, frameName, disposition, options, additionalFeatures) => { if (!options.webPreferences) options.webPreferences = {}; options.webPreferences.nodeIntegration = false; options.webPreferences.nodeIntegrationInWorker = false; options.webPreferences.webviewTag = false; delete options.webPreferences.preload; }) }) // and *IF* you don't use WebViews at all, // you might also want app.on('web-contents-created', (event, win) => { win.on('will-attach-webview', (event, webPreferences, params) => { event.preventDefault(); }) }) ```
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Electronjs Electron | >=1.7.0<=1.7.12 | |
| Electronjs Electron | >1.8.0<=1.8.3 | |
| Electronjs Electron | =2.0.0 | |
| Electronjs Electron | =2.0.0-beta1 | |
| Electronjs Electron | =2.0.0-beta2 | |
| Electronjs Electron | =2.0.0-beta3 | |
| Electronjs Electron | =2.0.0-beta4 | |
| npm/electron | >=1.8.0<1.8.4 | 1.8.4 |
| npm/electron | >=1.7.0<1.7.13 | 1.7.13 |
| npm/electron | >=2.0.0-beta.1<2.0.0-beta.5 | 2.0.0-beta.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2018-1000136?
CVE-2018-1000136 is a vulnerability in Electron versions 1.7 up to 1.7.12, 1.8 up to 1.8.3, and 2.0.0 up to 2.0.0-beta.3 that allows Node.js integration to be re-enabled in some Electron applications that disable it.
Which Electron versions are affected by CVE-2018-1000136?
Electron versions 1.7 up to 1.7.12, 1.8 up to 1.8.3, and 2.0.0 up to 2.0.0-beta.3 are affected by CVE-2018-1000136.
What is the severity of CVE-2018-1000136?
CVE-2018-1000136 has a severity rating of 8.1 (High).
How can I fix CVE-2018-1000136?
To fix CVE-2018-1000136, you should update Electron to versions 1.7.13, 1.8.4, or 2.0.0-beta.5, depending on the version you are using.
Where can I find more information about CVE-2018-1000136?
You can find more information about CVE-2018-1000136 on the NVD website (https://nvd.nist.gov/vuln/detail/CVE-2018-1000136), the Electron blog (https://electronjs.org/blog/webview-fix), and the npm advisory page (https://www.npmjs.com/advisories/574).
- collector/github-advisory-latest
- alias/GHSA-8xwg-wv7v-4vqp
- alias/CVE-2018-1000136
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/description
- agent/first-publish-date
- agent/remedy
- agent/event
- agent/softwarecombine
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/references
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/npm
- vendor/electronjs
- canonical/electronjs electron
- version/electronjs electron/1.7.0
- version/electronjs electron/1.7.12
- version/electronjs electron/1.8.3
- version/electronjs electron/2.0.0
- version/electronjs electron/2.0.0-beta1
- version/electronjs electron/2.0.0-beta2
- version/electronjs electron/2.0.0-beta3
- version/electronjs electron/2.0.0-beta4