Low severityNVD Advisory· Published Jul 7, 2020· Updated Aug 4, 2024
Context isolation bypass via Promise in Electron
CVE-2020-15096
Description
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
electronnpm | < 6.1.11 | 6.1.11 |
electronnpm | >= 7.0.0, < 7.2.4 | 7.2.4 |
electronnpm | >= 8.0.0, < 8.2.4 | 8.2.4 |
Affected products
2- Range: < 6.1.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-6vrv-94jv-crrgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15096ghsaADVISORY
- github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrgghsax_refsource_CONFIRMWEB
- www.electronjs.org/releases/stableghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.