CVE-2020-4075
Arbitrary Local File Read vulnerability in electron (npm)
What is CVE-2020-4075 About?
This vulnerability allows for arbitrary local file read operations by defining unsafe window options on child windows. Attackers can leverage this to access sensitive local files, which is relatively easy to exploit given the ability to open new windows with controlled options. The impact includes unauthorized data disclosure from the affected system.
Affected Software
- electron
- <7.2.4
- >8.0.0, <8.2.4
Technical Details
The vulnerability arises when a child window is opened via window.open within an Electron application. By defining unsafe window options during the creation of this child window, an attacker can manipulate its capabilities to read arbitrary local files. Specifically, if the application does not properly validate or sanitize the url or options parameters provided to window.open or subsequently in new-window events, an attacker can craft malicious options to achieve local file access. This means that an attacker can specify paths to sensitive files on the local system, which the child window then accesses and potentially exfiltrates.
What is the Impact of CVE-2020-4075?
Successful exploitation may allow attackers to read arbitrary files from the local filesystem, leading to unauthorized disclosure of sensitive information such as configuration files, user data, or source code.
What is the Exploitability of CVE-2020-4075?
Exploitation complexity is moderate, requiring the ability to control the parameters passed to the window.open function or to handle new-window events with custom options. No specific authentication is required at the point of exploitation, as it targets how the application handles window creation. The attacker would likely need to be able to execute code within the renderer process (local access) or trick a user into opening a malicious link that triggers the vulnerable code path. The primary prerequisite is that the application does not call event.preventDefault() uniformly on all new-window events when the url or options are unexpected, allowing the unsafe window options to be applied. The risk is increased in applications that dynamically create child windows based on untrusted input without sufficient input validation and sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-4075?
Available Upgrade Options
- electron
- <7.2.4 → Upgrade to 7.2.4
- electron
- >8.0.0, <8.2.4 → Upgrade to 8.2.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/electron/electron/security/advisories/GHSA-f9mq-jph6-9mhm
- https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824
- https://nvd.nist.gov/vuln/detail/CVE-2020-4075
- https://osv.dev/vulnerability/GHSA-f9mq-jph6-9mhm
- https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824
- https://github.com/electron/electron/security/advisories/GHSA-f9mq-jph6-9mhm
What are Similar Vulnerabilities to CVE-2020-4075?
Similar Vulnerabilities: CVE-2021-22926 , CVE-2021-22927 , CVE-2021-22920 , CVE-2021-22921 , CVE-2021-22922
