MEDIUM

GHSA-6r2x-8pq8-9489

Electron vulnerable to Heap Buffer Overflow in NativeImage

Details

### Impact The `nativeImage.createFromPath()` and `nativeImage.createFromBuffer()` functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents.

### Workaround There are no app-side workarounds for this issue. You must update your Electron version to be protected.

### Patches

- `v28.3.2` - `v29.3.3` - `v30.0.3`

### For More Information

If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / electron

Introduced in: 0 Fixed in: 28.3.2

Fix npm install electron@28.3.2

npm / electron

Introduced in: 29.0.0-alpha.1 Fixed in: 29.3.3

Fix npm install electron@29.3.3

npm / electron

Introduced in: 30.0.0-alpha.1 Fixed in: 30.0.3

Fix npm install electron@30.0.3

References

https://github.com/electron/electron/security/advisories/GHSA-6r2x-8pq8-9489 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2024-46993 [ADVISORY]
https://github.com/electron/electron [PACKAGE]