Skip to content

SSL Validation Defaults to False in electron-packager

Low severity GitHub Reviewed Published Feb 18, 2019 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm electron-packager (npm)

Affected versions

>= 5.2.1, < 7.0.0

Patched versions

7.0.0

Description

Affected versions of electron-packager configure the generated application to disable SSL certificate verification by default.

This could allow an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one.

This only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.

Recommendation

  1. Update to version 7.0.0 or later.
  2. Delete the electron-download cache folder, which is by default located at ~/.electron.

References

Published to the GitHub Advisory Database Feb 18, 2019
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

Low

EPSS score

0.063%
(28th percentile)

Weaknesses

CVE ID

CVE-2016-10534

GHSA ID

GHSA-q43m-ffwr-rpcc

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.