CVE
CVE-2024-29900
@electron/packager's build process memory potentially leaked into final executable
Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory could contain sensitive information such as environment variables, secrets files, etc. This issue is patched in 18.3.1.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
C
H
U
-
Related Resources
No items found.
References
https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29900.json, https://github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57, https://nvd.nist.gov/vuln/detail/CVE-2024-29900, https://github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee
Basic Information
Ecosystem
