CVE-2023-39956
Arbitrary Code Execution vulnerability in electron (npm)

Arbitrary Code Execution No known exploit

What is CVE-2023-39956 About?

This vulnerability in Electron allows for arbitrary code execution when an app is launched with an attacker-controlled working directory. It potentially enables an attacker to bypass protections like ASAR Integrity. The exploit is difficult to achieve, requiring specific preconditions like write access to the working directory.

Affected Software

  • electron
    • >25.0.0-alpha.1, <25.5.0
    • <22.3.19
    • >23.0.0-alpha.1, <23.3.13
    • >26.0.0-alpha.1, <26.0.0-beta.13
    • >24.0.0-alpha.1, <24.7.1

Technical Details

The vulnerability impacts Electron applications launched as command-line executables. It occurs when two critical conditions are met: the application is launched from an attacker-controlled working directory, and the attacker has write access to that directory. In such a scenario, the attacker can place malicious files (e.g., modified node_modules or package.json configurations) within the working directory. Electron's module resolution or loading mechanisms might then prioritize these malicious files, leading to the execution of attacker-controlled code instead of legitimate application logic. This mechanism can bypass safeguards like ASAR Integrity, which attempts to prevent tampering with application archives.

What is the Impact of CVE-2023-39956?

Successful exploitation may allow attackers to execute arbitrary code with the privileges of the Electron application, leading to system compromise, data manipulation, or bypassing application security features.

What is the Exploitability of CVE-2023-39956?

Exploitation is highly complex due to stringent prerequisites: The application must be launched from an attacker-controlled working directory, AND the attacker must have write access to that directory. This typically implies a 'physically local' attack or a scenario where the attacker has already gained some level of control over the user's environment. No authentication is directly required for the exploit itself, but gaining access to the working directory might demand prior authentication/privileges. This is generally a local attack in practice. The risk factors are low given the specific conditions, but increase if users commonly execute untrusted Electron apps from arbitrary directories or if compromised systems allow for local file system manipulation.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2023-39956?

Available Upgrade Options

  • electron
    • <22.3.19 → Upgrade to 22.3.19
  • electron
    • >23.0.0-alpha.1, <23.3.13 → Upgrade to 23.3.13
  • electron
    • >24.0.0-alpha.1, <24.7.1 → Upgrade to 24.7.1
  • electron
    • >25.0.0-alpha.1, <25.5.0 → Upgrade to 25.5.0
  • electron
    • >26.0.0-alpha.1, <26.0.0-beta.13 → Upgrade to 26.0.0-beta.13

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-39956?

Similar Vulnerabilities: CVE-2023-2895 , CVE-2022-35923 , CVE-2022-2845 , CVE-2021-27041 , CVE-2020-14283

All Rights reserved 2025
Privacy Policy