---

Electron is the backbone of many apps you probably use every day—Slack, Visual Studio Code, Discord, and countless others. It lets developers create cross-platform desktop apps using JavaScript, HTML, and CSS. But with great popularity comes a bigger attack surface. In late 2023, a major security issue—CVE-2023-23623—was discovered in Electron versions 22 and 23. This bug made it possible for attackers to bypass strict content security policies under certain conditions, exposing users to dangerous attacks like code injection.

In this article, we’ll break down what CVE-2023-23623 is, show you some code examples so you can see how it works, and provide simple steps to keep your apps safe.

What is CVE-2023-23623?

At its core, CVE-2023-23623 is a vulnerability in Electron’s renderer process sandboxing. Electron uses a configuration option called sandbox. When sandbox is set to false (the default in many setups), security policies you set in your HTML—like Content Security Policy (CSP) rules forbidding eval and similar risky JavaScript constructs—are not actually enforced.

That means even if your CSP says, “Don’t allow eval!”, Electron might let it through anyway unless you’ve explicitly turned on the sandbox. Given that malicious code often uses eval() or new Function() to execute payloads, this could let an attacker run anything they want in your app’s context.

Fixed in: 22..1, 23..-alpha.2

- Official advisory: GitHub Security Advisory - Electron CVE-2023-23623

Why Did This Happen? Understanding The Bug

Electron's renderer process is kind of like a web browser window running inside your app. Normally, modern browsers enforce CSPs very strictly: tell them to block eval, and they do! But in Electron, unless you turn on the sandbox, these same rules are ignored.

Imagine you wrote this policy into your HTML

<meta http-equiv="Content-Security-Policy" content="script-src 'self';">

This says: "Only allow scripts from this page, and don't allow unsafe code like 'eval'!" But in Electron without sandboxing, a script like this would still work:

eval("alert('Surprise! CSP should have blocked me!')");

That’s a huge issue if your app loads any dynamic content that could be manipulated by a hacker.

Exploit Scenario: How an Attacker Could Use This

Say your Electron app loads remote content or shows user-generated HTML (like chat messages, markdown files, or email bodies). Even with a seemingly strict CSP, disabling the sandbox (sandbox: false) opens the door.
Malicious content could include injected scripts that use eval() or new Function() to execute more dangerous code, leading to credential theft, data leaks, or even running programs on your users’ computers.

Suppose you have a window configuration like this

// main.js
const win = new BrowserWindow({
  webPreferences: {
    nodeIntegration: true, // risky!
    contextIsolation: false, // risky!
    sandbox: false // THIS is our problem!
  }
});

And in your renderer

<!-- index.html -->
<meta http-equiv="Content-Security-Policy" content="script-src 'self';">

<script>
  // This should be blocked by CSP, but will run with sandbox: false!
  eval("require('fs').writeFileSync('hacked.txt', 'You got owned!')");
</script>

This allows a remote attacker to run any Node.js command if they can inject JavaScript!

1. Upgrade Electron

The best way to fix this vulnerability is to upgrade.
- Patched versions: Electron 22..1, Electron 23..-alpha.2

If you can’t upgrade, set sandbox: true on every window

const win = new BrowserWindow({
  webPreferences: {
    sandbox: true,
    // It's best to also set:
    nodeIntegration: false,
    contextIsolation: true
  }
});

This makes CSP rules work as they should, blocking eval() and similar attacks.

Never allow unsafe-eval or unsafe-inline.

- <https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP>

More Resources

- GitHub Security Advisory
- Electron Release Notes
- Electron Security Tutorial
- CVE Details page

Bottom Line

CVE-2023-23623 is a great reminder that desktop apps built with web technology need the same care and attention as websites when it comes to security. If you're developing with Electron, always read the security recommendations, enable sandbox: true, and stay on top of updates.

It’s quick fixes like this that can save your users—and your app’s reputation—from serious harm.


Need help patching your Electron app? Found something in the wild? Drop your experiences in the comments!

*(If you use or depend on an Electron-based app, consider sharing this post with your dev team for a security checkup.)*

Timeline

Published on: 09/06/2023 21:15:08 UTC
Last modified on: 09/11/2023 19:02:53 UTC