VYPR
Get started
← All advisories
High severity8.1NVD Advisory· Published Aug 6, 2017· Updated May 13, 2026

CVE-2017-12581

CVE-2017-12581

Description

GitHub Electron before 1.6.8 allows remote command execution because of a nodeIntegration bypass vulnerability. This also affects all applications that bundle Electron code equivalent to 1.6.8 or earlier. Bypassing the Same Origin Policy (SOP) is a precondition; however, recent Electron versions do not have strict SOP enforcement. Combining an SOP bypass with a privileged URL internally used by Electron, it was possible to execute native Node.js primitives in order to run OS commands on the user's host. Specifically, a chrome-devtools://devtools/bundled/inspector.html window could be used to eval a Node.js child_process.execFile API call.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
electronnpm
< 1.6.81.6.8

Affected products

1

Patches

1
05b6d91bf4c1

Disable node integration in chrome-devtools: URLs

https://github.com/electron/electronKevin SawickiApr 24, 2017via ghsa
commit
1 file changed · +1 1
  • lib/renderer/init.js+1 1 modified
    @@ -78,7 +78,7 @@ for (let arg of process.argv) {
 if (window.location.protocol === 'chrome-devtools:') {
   // Override some inspector APIs.
   require('./inspector')
-  nodeIntegration = 'true'
+  nodeIntegration = 'false'
 } else if (window.location.protocol === 'chrome-extension:') {
   // Add implementations of chrome API.
   require('./chrome-api').injectTo(window.location.hostname, isBackgroundPage, window)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.