Platform
nodejs
Component
electron
Fixed in
1.6.14
CVE-2017-16151 is a critical Remote Code Execution (RCE) vulnerability affecting ElectronJS applications. This flaw allows attackers to execute arbitrary code by exploiting how affected applications handle remote content, even when the sandbox option is enabled. The vulnerability impacts ElectronJS versions prior to 1.6.14, and a fix is available in version 1.6.14 and later.
The impact of CVE-2017-16151 is severe. An attacker can leverage this vulnerability to gain complete control over an affected ElectronJS application and potentially the underlying system. This could involve stealing sensitive data, installing malware, or disrupting operations. The ability to bypass the sandbox significantly increases the attack surface, as it allows attackers to execute code with the privileges of the application. Successful exploitation could mirror the impact of other RCE vulnerabilities, allowing for persistent access and lateral movement within a network.
CVE-2017-16151 was publicly disclosed in July 2018. While no active exploitation campaigns have been definitively linked to this specific CVE, the RCE nature of the vulnerability makes it a high-priority target. Public proof-of-concept exploits are available, increasing the risk of exploitation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
2.70% (86% percentile)
CVSS Vector
The primary mitigation for CVE-2017-16151 is to immediately update ElectronJS to version 1.6.14 or later. If upgrading is not immediately feasible, consider implementing stricter content security policies (CSP) within the application to restrict the sources from which content can be loaded. Carefully review and validate all remote content accessed by the application. While a direct workaround is unavailable, implementing robust input validation and sanitization can help reduce the attack surface. After upgrading, verify the fix by attempting to load a known malicious remote resource and confirming that the application does not execute arbitrary code.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2017-16151 is a critical Remote Code Execution vulnerability in ElectronJS applications that allows attackers to execute arbitrary code when accessing remote content, even with the sandbox enabled.
You are affected if you are using ElectronJS versions prior to 1.6.14 and your application accesses remote content. Assess your ElectronJS version immediately.
Update ElectronJS to version 1.6.14 or later. Implement stricter content security policies (CSP) as an interim measure if upgrading is not immediately possible.
While no confirmed active campaigns are publicly known, the RCE nature of the vulnerability makes it a high-priority target, and public PoCs exist.
Refer to the ElectronJS security advisories: https://github.com/electron/electron/security/advisories
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.