GHSA-mq8j-3h7h-p8g7
Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled
Details
### Impact This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with `nodeIntegrationInSubFrames` enabled which in turn allows effective access to `ipcRenderer`.
Please note the misleadingly named `nodeIntegrationInSubFrames` option does not implicitly grant Node.js access rather it depends on the existing `sandbox` setting. If your application is sandboxed then `nodeIntegrationInSubFrames` just gives access to the sandboxed renderer APIs (which includes `ipcRenderer`).
If your application then additionally exposes IPC messages without IPC `senderFrame` validation that perform privileged actions or return confidential data this access to `ipcRenderer` can in turn compromise your application / user even with the sandbox enabled.
### Patches This has been patched and the following Electron versions contain the fix:
* `18.0.0-beta.6` * `17.2.0` * `16.2.6` * `15.5.5`
### Workarounds Ensure that all IPC message handlers appropriately validate `senderFrame` as per our [security tutorial here](https://github.com/electron/electron/blob/main/docs/tutorial/security.md#17-validate-the-sender-of-all-ipc-messages).
### For more information
If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).
Are you affected?
Enter the version of the package you're using.
Affected packages
18.0.0-beta.1 Fixed in: 18.0.0-beta.6 npm install electron@18.0.0-beta.6