CVE-2020-4076 HIGH

CVE-2020-4076: Context isolation bypass via leaked cross-context objects in Electron

Vendor Electron
Product electron
Weakness CWE-501
Published July 7, 2020
Last update August 4, 2024

CVSS base score

7.8/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Key dates

02Disclosure timeline

July 7, 2020 CVE published
August 4, 2024 Record updated