CVE-2023-44402
Integrity Bypass vulnerability in electron (npm)
What is CVE-2023-44402 About?
This vulnerability affects Electron applications on macOS with specific fuses enabled, allowing an attacker to bypass integrity validation by modifying application files. Its impact is limited to applications launched from attacker-writable filesystems. Exploitation is possible when an attacker has write access to the application's installation directory.
Affected Software
- electron
- >26.0.0-alpha.1, <26.2.1
- >27.0.0-alpha.1, <27.0.0-alpha.7
- >24.0.0-alpha.1, <24.8.3
- >25.0.0-alpha.1, <25.8.1
- >23.0.0-alpha.1, <=23.3.13
- <22.3.24
Technical Details
The vulnerability specifically impacts Electron applications on macOS that have both embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. These fuses are intended to protect against tampering by ensuring that the application only loads from its embedded ASAR archive and that the archive's integrity is validated. However, if an attacker has write access to the filesystem where the Electron app is installed, they can modify files within the resources folder, circumventing these integrity checks. This allows the attacker to introduce malicious code or alter application behavior, despite the fuses being active, as the integrity validation mechanism can be bypassed when the launch environment itself is compromised via filesystem write permissions.
What is the Impact of CVE-2023-44402?
Successful exploitation may allow attackers to execute arbitrary code within the context of the Electron application, modify application behavior, bypass intended security controls, or gain unauthorized access to data.
What is the Exploitability of CVE-2023-44402?
Exploitation complexity is moderate and highly constrained by specific prerequisites. The vulnerability is local, requiring an attacker to have write access to the filesystem where the Electron application is installed. This typically means the attacker needs prior local access to the user's machine or system. There are no direct authentication or privilege requirements specifically for the vulnerability itself, beyond the filesystem write permissions. The vulnerability only affects macOS applications with specific embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Risk factors include environments where users commonly install or run applications from shared or untrusted network drives, or where local privilege escalation could grant write access to application installation directories.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-44402?
Available Upgrade Options
- electron
- <22.3.24 → Upgrade to 22.3.24
- electron
- >24.0.0-alpha.1, <24.8.3 → Upgrade to 24.8.3
- electron
- >25.0.0-alpha.1, <25.8.1 → Upgrade to 25.8.1
- electron
- >26.0.0-alpha.1, <26.2.1 → Upgrade to 26.2.1
- electron
- >27.0.0-alpha.1, <27.0.0-alpha.7 → Upgrade to 27.0.0-alpha.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/electron/electron/pull/39788
- https://github.com/electron/electron
- https://github.com/electron/electron/pull/39788
- https://github.com/electron/electron/security/advisories/GHSA-7m48-wc93-9g85
- https://github.com/electron/electron/security/advisories/GHSA-7m48-wc93-9g85
- https://nvd.nist.gov/vuln/detail/CVE-2023-44402
- https://osv.dev/vulnerability/GHSA-7m48-wc93-9g85
- https://www.electronjs.org/docs/latest/tutorial/fuses
- https://www.electronjs.org/docs/latest/tutorial/fuses
What are Similar Vulnerabilities to CVE-2023-44402?
Similar Vulnerabilities: CVE-2023-36845 , CVE-2023-36846 , CVE-2023-36847 , CVE-2023-36848 , CVE-2023-2825
