CVE-2023-29198 - Electron Context Isolation Bypass Vulnerability in Apps Using ContextIsolation and ContextBridge

Electron is a popular framework that allows developers to create cross-platform desktop applications using JavaScript, HTML, and CSS. It has recently been discovered that Electron apps that use the contextIsolation and contextBridge features are vulnerable to a context isolation bypass. This vulnerability, identified as CVE-2023-29198, enables malicious code running in the main world context of the renderer to perform privileged actions within the Electron context.

Exploit Details

The issue arises when an API exposed to the main world through contextBridge returns an object or array containing a JavaScript object that cannot be serialized. Such an object might be a canvas rendering context, for instance. This situation would typically result in an exception being thrown, with the error message "Error: object could not be cloned."

Here is a code snippet that demonstrates the exploitation of this vulnerability

const { contextBridge } = require('electron');

contextBridge.exposeInMainWorld('myElectronAPI', {
  getUnserializableObject: () => {
    const canvas = document.createElement('canvas');
    return canvas.getContext('2d');
  },
});

// Renderer process
console.log(window.myElectronAPI.getUnserializableObject());

In the code snippet above, the getUnserializableObject function exposed via contextBridge returns an object (a canvas rendering context) that cannot be serialized, resulting in the exception being thrown.

App Side Workaround

To resolve this issue and protect against the context isolation bypass vulnerability, developers should ensure that all values returned from functions exposed over the context bridge are supported. This can be achieved by sanitizing and validating input and output values in the Electron app's code. Serialization libraries can also be used to enforce correct serialization.

22.3.6

Developers are advised to update their apps to use one of these fixed versions to protect against this vulnerability.

Original References

- Electron Release Notes: https://github.com/electron/electron/releases
- CVE-2023-29198 Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29198

Conclusion

CVE-2023-29198 outlines a serious vulnerability in the Electron framework, affecting apps that utilize the contextIsolation and contextBridge features. By updating their apps' Electron versions and implementing the described workaround, developers can mitigate the risks associated with this context isolation bypass vulnerability.

Timeline

Published on: 09/06/2023 21:15:00 UTC
Last modified on: 09/11/2023 18:58:00 UTC