CVE-2024-29900

Published: Mar 29, 2024Modified: May 7, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory _could_ contain sensitive information such as environment variables, secrets files, etc. This issue is patched in 18.3.1.

Affected (1)

Products: Openjsf: Packager

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Openjsf Packager	Version 18.3.0

Related CWEs

Transmission of Private Resources into a New Sphere ('Resource Leak')

The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.

References (4)

https://github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee

Source: security-advisories@github.com

Patch

https://github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57

Source: security-advisories@github.com

Vendor Advisory

https://github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.