MEDIUM 5.6

GHSA-56pc-6jqp-xqj8

Context isolation bypass in Electron

Details

### Impact Apps using both `contextIsolation` and `sandbox: true` are affected. Apps using both `contextIsolation` and `nativeWindowOpen: true` are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

### Workarounds There are no app-side workarounds, you must update your Electron version to be protected.

### Fixed Versions * `11.0.0-beta.6` * `10.1.2` * `9.3.1` * `8.5.2`

### For more information If you have any questions or comments about this advisory: * Email us at [security@electronjs.org](mailto:security@electronjs.org)

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / electron

Introduced in: 8.0.0-beta.0 Fixed in: 8.5.2

Fix npm install electron@8.5.2

npm / electron

Introduced in: 9.0.0-beta.0 Fixed in: 9.3.1

Fix npm install electron@9.3.1

npm / electron

Introduced in: 10.0.0-beta.0 Fixed in: 10.1.2

Fix npm install electron@10.1.2

npm / electron

Introduced in: 11.0.0-beta.0 Fixed in: 11.0.0-beta.6

Fix npm install electron@11.0.0-beta.6

Details

Are you affected?

Affected packages

References