CVE-2023-29198 - Understanding and Exploiting the Electron Context Isolation Bypass

If you’ve ever written a desktop app in JavaScript, chances are you’ve used Electron. Electron is popular because it lets you build desktop apps for Windows, macOS, and Linux using web tech like HTML, CSS, and JavaScript. Under the hood, Electron runs your code like a mini web browser with Node.js support. For security, Electron introduces controls like contextIsolation and contextBridge to keep privileged code separate from the rest. But in 2023, researchers discovered a big bug: CVE-2023-29198.

This long read explains what CVE-2023-29198 is, how it works, the danger it poses, shows a simple code example of the bug, and explains how to keep your apps safe — in plain English.

What is CVE-2023-29198?

CVE-2023-29198 is a vulnerability that lets attackers bypass the “context isolation” barrier in Electron apps. Normally, contextIsolation tries to separate your app’s regular web code (the renderer) from privileged APIs, so if hackers take over the web context, they can’t easily access sensitive features.

But in certain conditions, if you use contextBridge to expose custom APIs, and these APIs return complex objects (like a canvas rendering context), then an attacker can break out and access privileged features. This is a context isolation bypass.

If you use an older version, you could be at serious risk!

Official Advisory: GHSA-7dxg-7h33-7p7x

1. Context Isolation and contextBridge 101

In Electron, you can expose custom APIs from a “preload” script to your renderer code using contextBridge, like this:

// preload.js
const { contextBridge } = require('electron');

contextBridge.exposeInMainWorld('myAPI', {
  returnData: () => {
    return {key: "value"};
  }
});

With contextIsolation: true, JavaScript in the renderer (website) can only access the safe APIs you explicitly expose:

// In your renderer script (index.html)
window.myAPI.returnData(); // {key: "value"}

2. The Vulnerable Pattern

The bug happens if returnData accidentally returns a complex JavaScript object that the contextBridge messenger system cannot serialize, like a CanvasRenderingContext2D.

For example

// preload.js
contextBridge.exposeInMainWorld('myAPI', {
  getCanvasContext: () => {
    const canvas = document.createElement('canvas');
    return canvas.getContext('2d'); // BAD: This is not serializable!
  }
});

When the renderer calls

// index.html
const ctx = window.myAPI.getCanvasContext();

Electron tries to clone the object to pass it safely, but fails with

Error: object could not be cloned

But because of a missing security check, skilled attackers can exploit this failure to hijack the isolated context and gain access to privileged APIs — breaking context isolation entirely.

Exploit Details (Simplified PoC)

Suppose an electron app exposes a function like the one above. An attacker could try to trigger this error, and take control like this:

// Run inside renderer context (malicious web script)
try {
  // Bad API returns unserializable object
  window.myAPI.getCanvasContext();
} catch (e) {
  // Now attacker leverages the error and the prototype chain to "break out"
  // (This is a simplified illustration. Full exploits involve crafting special objects,
  // catching thrown errors, and chaining them to bypass contextIsolation.)
  console.log("Exploited! Now we can reach privileged context!");
  // ...do bad stuff
}

In real attacks, this is chained with other JavaScript engine quirks to "jump" into the privileged Electron context.

To avoid this bug

1. Only expose serializable objects.
Make sure every value your exposed functions return can be cloned/serialized by Electron. Stick to simple values (numbers, strings, arrays, plain objects).

// SAFE: Only returns strings and arrays
contextBridge.exposeInMainWorld('mySafeAPI', {
  getNames: () => ["alice", "bob"]
});

2. Never expose DOM nodes, canvas contexts, or complex objects.

Bonus: Always validate your API input and output types!

3. Update Electron!

22.3.6

Find more here: Electron Release Notes

References and Further Reading

- Official Electron Security Advisory (GHSA-7dxg-7h33-7p7x)
- NVD Entry for CVE-2023-29198
- Electron contextIsolation Documentation
- Electron contextBridge Documentation
- Red Hat Advisory on CVE-2023-29198

TL;DR (Summary)

- CVE-2023-29198 allows bypassing Electron’s context isolation in certain apps using contextBridge.

Timeline

Published on: 09/06/2023 21:15:00 UTC
Last modified on: 09/11/2023 18:58:00 UTC