CVE-2018-15685
published 2018-08-23CVE-2018-15685: GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options…
PriorityP262high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
10.43%
95.2th percentile
GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| electron | electron | >= 1.7.0 < 1.7.16 | 1.7.16 |
| electron | electron | >= 1.8.0 < 1.8.8 | 1.8.8 |
| electron | electron | >= 2.0.0 < 2.0.8 | 2.0.8 |
| electron | electron | >= 3.0.0-beta.1 < 3.0.0-beta.7 | 3.0.0-beta.7 |
| electronjs | electron | — | — |
| electronjs | electron | — | — |
| electronjs | electron | — | — |
| electronjs | electron | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for Electron apps using 'nativeWindowOpen: true' or 'sandbox: true' WebPreferences options combined with nested IFRAME elements, as these configurations are the prerequisite for exploitation. ↗
- →Target Electron versions 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6 for patching/detection prioritization; processes running these versions are exploitable. ↗
- →Monitor for Electron renderer processes where nodeIntegration is disabled but child windows are spawned via nested IFRAMEs — exploitation re-enables node bindings through WebPreferences inheritance bypass. ↗
- →Detect exploitation attempts originating from XSS or remotely controlled URLs within Electron-rendered pages that attempt to open child windows. ↗
- ·The vulnerability only manifests under specific WebPreferences configurations; apps NOT using 'nativeWindowOpen: true' or 'sandbox: true' with nested child windows are not affected. ↗
- ·The PoC main.js deliberately disables nodeIntegration in the main process, demonstrating that the bypass works even when nodeIntegration is explicitly set to false — detection rules should not rely solely on nodeIntegration=true as an indicator. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Electron webPreferences vulnerability can be used to perform remote code execution
osv·2018-08-23
CVE-2018-15685 [HIGH] Electron webPreferences vulnerability can be used to perform remote code execution
Electron webPreferences vulnerability can be used to perform remote code execution
GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a webPreferences vulnerability that can be leveraged to perform remote code execution.
More information to determine if you are impacted can be found on the [electron blog](https://electronjs.org/blog/web-preferences-fix).
## Recommendation
Upgrade Electron to >=3.0.0-beta.7, >=2.0.8, >=1.8.8, or >=1.7.16.
GHSA
Electron webPreferences vulnerability can be used to perform remote code execution
ghsa·2018-08-23
CVE-2018-15685 [HIGH] CWE-1188 Electron webPreferences vulnerability can be used to perform remote code execution
Electron webPreferences vulnerability can be used to perform remote code execution
GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a webPreferences vulnerability that can be leveraged to perform remote code execution.
More information to determine if you are impacted can be found on the [electron blog](https://electronjs.org/blog/web-preferences-fix).
## Recommendation
Upgrade Electron to >=3.0.0-beta.7, >=2.0.8, >=1.8.8, or >=1.7.16.
No detection rules found.
No writeups or analysis indexed.
2018-08-23
Published