VDB
KO
HIGH 7.7

GHSA-9wfr-w7mm-pc7f

Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference

Details

### Impact An undocumented `commandLineSwitches` webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct `webPreferences` by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.

Apps are only affected if they construct `webPreferences` from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded `webPreferences` object are not affected.

### Workarounds Do not spread untrusted input into `webPreferences`. Use an explicit allowlist of permitted preference keys when constructing `BrowserWindow` or `webContents` options from external configuration.

### Fixed Versions * `41.0.0-beta.8` * `40.7.0` * `39.8.0` * `38.8.6`

### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / electron
Introduced in: 0 Fixed in: 38.8.6
Fix npm install electron@38.8.6
npm / electron
Introduced in: 39.0.0-alpha.1 Fixed in: 39.8.0
Fix npm install electron@39.8.0
npm / electron
Introduced in: 40.0.0-alpha.1 Fixed in: 40.7.0
Fix npm install electron@40.7.0
npm / electron
Introduced in: 41.0.0-alpha.1 Fixed in: 41.0.0-beta.8
Fix npm install electron@41.0.0-beta.8

References