GHSA-9wfr-w7mm-pc7f
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
상세
### Impact An undocumented `commandLineSwitches` webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct `webPreferences` by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.
Apps are only affected if they construct `webPreferences` from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded `webPreferences` object are not affected.
### Workarounds Do not spread untrusted input into `webPreferences`. Use an explicit allowlist of permitted preference keys when constructing `BrowserWindow` or `webContents` options from external configuration.
### Fixed Versions * `41.0.0-beta.8` * `40.7.0` * `39.8.0` * `38.8.6`
### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.