high
7.5
CWE
154 295
Advisory Published
CVE Published
Updated

CVE-2024-39698: Code Signing Bypass on Windows in electron-updater < 6.3.0-alpha.6

First published: Tue Jul 09 2024(Updated: )

### Observations The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. It executes the following command in a new shell (`process.env.ComSpec` on Windows, usually `C:\Windows\System32\cmd.exe`): https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41 Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. ### Exploitation This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. ### Impact This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). ### Patch This vulnerability was patched in #8295, by comparing the path in the output of `Get-AuthenticodeSignature` with the intended one. The patch is available starting from 6.3.0-alpha.6.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
npm/electron-updater<=6.3.0-alpha.5
6.3.0-alpha.6
Electron<6.3.0
Electron=6.3.0-alpha0
Electron=6.3.0-alpha1
Electron=6.3.0-alpha2
Electron=6.3.0-alpha3
Electron=6.3.0-alpha4
Electron=6.3.0-alpha5

Remedy

https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f

Remedy

https://github.com/electron-userland/electron-builder/pull/8295

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-39698?

    CVE-2024-39698 has been classified with a critical severity due to its potential for code execution in Electron applications on Windows.

  • How do I fix CVE-2024-39698?

    To mitigate CVE-2024-39698, upgrade the electron-updater package to version 6.3.0-alpha.6 or later.

  • Which versions are affected by CVE-2024-39698?

    CVE-2024-39698 affects electron-updater versions up to 6.3.0-alpha.5 and specific alpha versions of electron-builder.

  • What components does CVE-2024-39698 impact?

    CVE-2024-39698 primarily impacts the electron-updater package during the signature validation process for Electron applications.

  • Is there any workaround for CVE-2024-39698?

    While upgrading is the recommended fix for CVE-2024-39698, users can temporarily disable signature validation as a workaround.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203