CVE-2023-29198
Context Isolation Bypass vulnerability in electron (npm)
What is CVE-2023-29198 About?
This vulnerability in Electron allows for a context isolation bypass in apps using `contextIsolation` and `contextBridge`. Attackers running code in the main world context can reach into the isolated Electron context and perform privileged actions. Exploitation can occur under specific conditions involving unsupported return values or user-generated exceptions during bridge communication.
Affected Software
- electron
- >24.0.0-alpha.1, <24.0.1
- <22.3.6
- >25.0.0-alpha.1, <25.0.0-alpha.2
- >23.0.0-alpha.1, <23.2.3
Technical Details
The vulnerability enables a context isolation bypass within Electron applications that utilize contextIsolation and contextBridge. Context isolation is designed to prevent JavaScript in the main world (renderer process) from directly accessing internal Electron APIs. However, this flaw allows code executing in the main world to interact with the isolated Electron context and execute privileged actions. This bypass is exploitable under two main conditions: (1) if an API exposed via contextBridge returns an object or array containing an unserializable JavaScript object (e.g., a canvas rendering context), which normally would throw an 'object could not be cloned' error; or (2) if an API's return value throws a user-generated exception while being marshaled across the bridge (e.g., a dynamic getter property that throws an error). In both cases, the normal security boundaries are circumvented, allowing unintended access.
What is the Impact of CVE-2023-29198?
Successful exploitation may allow attackers to bypass context isolation, execute privileged actions, gain unauthorized access to internal Electron APIs, and potentially achieve remote code execution in the host context.
What is the Exploitability of CVE-2023-29198?
Exploitation requires the attacker to have arbitrary code execution within the main world context of an Electron renderer process. The complexity is high, as it requires crafting specific JavaScript code that triggers the exact conditions for the bypass, leveraging unsupported return types or specific exceptions during context bridge communication. There are no explicit authentication or privilege requirements, as the attack leverages a flaw in the isolation mechanism itself, but initial access to run JS in the renderer process is a prerequisite. This is typically a local vulnerability from the perspective of an already running Electron application process. Special conditions include the use of contextIsolation and contextBridge with improperly handled return values or exceptions. Risk factors include Electron applications that expose complex objects or have dynamic getters through contextBridge to untrusted content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-29198?
Available Upgrade Options
- electron
- <22.3.6 → Upgrade to 22.3.6
- electron
- >23.0.0-alpha.1, <23.2.3 → Upgrade to 23.2.3
- electron
- >24.0.0-alpha.1, <24.0.1 → Upgrade to 24.0.1
- electron
- >25.0.0-alpha.1, <25.0.0-alpha.2 → Upgrade to 25.0.0-alpha.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/electron/electron
- https://www.electronjs.org/docs/latest/api/context-bridge#parameter--error--return-type-support
- https://nvd.nist.gov/vuln/detail/CVE-2023-29198
- https://github.com/electron/electron/security/advisories/GHSA-p7v2-p9m8-qqg7
- https://www.electronjs.org/docs/latest/api/context-bridge#parameter--error--return-type-support
- https://github.com/electron/electron/security/advisories/GHSA-p7v2-p9m8-qqg7
- https://osv.dev/vulnerability/GHSA-p7v2-p9m8-qqg7
What are Similar Vulnerabilities to CVE-2023-29198?
Similar Vulnerabilities: CVE-2022-21696 , CVE-2021-39144 , CVE-2020-26233 , CVE-2020-15174 , CVE-2019-1301
