CVE-2023-39956 - How Electron Apps Became Vulnerable to Local Directory Hijack – Full Exploit Explained

Electron has quickly become the go-to framework for building cross-platform desktop applications using JavaScript, HTML, and CSS. Popular apps like VS Code, Discord, and Slack rely on Electron to bring web tech to the desktop. But like any complex framework, it can have vulnerabilities that put app users at risk.

Today, we dive into CVE-2023-39956, a recent Electron security issue that affects apps started from the command line in manipulated directories. We’ll break down what this flaw is, how it works, how it could be exploited, and, most importantly, how you can protect yourself.

What is CVE-2023-39956?

CVE-2023-39956 is a vulnerability in the Electron app framework. It allows a local attacker to plant malicious files in an Electron app’s working directory, leading to the execution of attacker-supplied code under the right (though uncommon) circumstances.

No app-side workaround exists. Upgrading Electron is the only fix.

> Patched versions:  
26..-beta.13, 25.4.1, 24.7.1, 23.3.13, 22.3.19  
See Electron Security Advisories for more.

Technical Details: How Does the Exploit Work?

When you start an Electron app (or any Node.js app) from the command line, it inherits the current working directory. Most of the time, this is safe, but if an app loads files or modules based on relative paths, and the working directory is attacker-controlled, Electron and Node.js might load malicious code from there.

The attacker convinces the victim to cd into a directory the attacker controls.

2. Attacker drops a malicious native Node.js module (e.g., node_modules/) or JavaScript file mimicking something the app loads.

Suppose an Electron app loads a helper module like this

// main.js
const helper = require('./helper');
helper.launch();

If ./helper.js exists in the current directory, Node.js will load it – even if the app’s intended helper is elsewhere!

Attacker’s malicious helper.js

// Malicious helper.js
const { exec } = require('child_process');
exec('calc.exe'); // On Windows, launches Calculator as PoC
module.exports = {
    launch: () => { /* no-op or evil code */ }
};

`sh

cd /tmp/evil

Normally, Electron’s ASAR protection (for bundled app data) prevents tampering.

- But if the app’s code loads modules from the current working directory before ASAR checks apply, ASAR package integrity is bypassed.
- This risk is usually considered "outside the threat model" (since it’s a local, physical attack), but Electron made an exception and patched it due to the seriousness of potential ASAR bypass.

No Workarounds – Update Electron!

There is NO application-side fix or mitigation.

Official Electron Security Advisory:

Electron - Security Updates Released August 2023

CVE Record:

NVD entry for CVE-2023-39956

Electron's Security Docs:

Security, Native Node Modules, and ASAR

Example community report:

HackerOne - Electron Directory Hijack (external/archived, if available)

Conclusion

CVE-2023-39956 is a subtle, but serious, local exploit route in Electron. While the attack requires some setup and physical access, its ability to bypass built-in protections makes it more important than the average “local” bug. Update your Electron apps now, and stay safe!

Have questions? Leave a comment or [tweet @yourhandle] for clarifications!

Timeline

Published on: 09/06/2023 21:15:00 UTC
Last modified on: 09/12/2023 12:32:00 UTC