CVE-2024-29900

Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory _could_ contain sensitive information such as environment variables, secrets files, etc. This issue is patched in 18.3.1.
Resource Leak
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 44%
VendorProductVersion
openjsfpackager
18.3.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee
https://github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57
https://github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee
https://github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57