High severityNVD Advisory· Published Mar 6, 2024· Updated Aug 13, 2024

electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only)

CVE-2024-27303

Description

electron-builder NSIS installer on Windows searches current directory for cmd.exe before system PATH, enabling untrusted search path attack.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

electron-builder NSIS installer on Windows searches current directory for cmd.exe before system PATH, enabling untrusted search path attack.

Vulnerability

Overview

A vulnerability in electron-builder versions prior to 24.13.2 affects the NSIS installer on Windows. The installer uses the NSExec plugin to execute cmd.exe via the .nsh installer script. By default, NSExec searches the current directory (where the installer is located) before searching the system PATH. This allows an attacker to place a malicious executable named cmd.exe in the same folder as the installer, causing the installer to run the attacker-controlled file instead of the legitimate system command. The root cause is a failure to specify the full absolute path to cmd.exe, leading to an untrusted search path (CWE-426). [1][4]

Exploitation

Conditions

Exploitation requires the attacker to have a means of placing a malicious cmd.exe in the same directory as the installer before it is executed. This could occur if an attacker distributes a trojanized installer or if a user extracts an installer archive into a directory where an attacker has write access. No authentication or elevated privileges are needed from the attacker, but the user must be tricked into running the installer from a compromised location. The vulnerability is Windows-specific and does not affect macOS or Linux builds. [1]

Impact and

Mitigation

If exploited, the attacker achieves arbitrary code execution at the installer privilege level, which typically runs with the current user's permissions. This could lead to full compromise of the user's session or installation of malware. The code executes before the application is present, making pre-install checks impossible. The fix in version 24.13.2 replaces relative cmd calls with absolute paths using %SYSTEMROOT%\System32\cmd.exe, preventing the directory search order attack. No workaround exists; users must update to the patched version. [1][3]

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
app-builder-libnpm	< 24.13.2	24.13.2

Affected products

ghsa-coords2 versions
pkg:npm/app-builder-lib pkg:rpm/opensuse/teleport&distro=openSUSE%20Tumbleweed
< 24.13.2+ 1 more
- (no CPE)range: < 24.13.2
- (no CPE)range: < 15.1.6-1.1
Electron Userland/Electron Builderv5
Range: < 24.13.2

Patches

8f4acff3c2d4

fix: execute `%SYSTEMROOT%` cmd.exe directly during NSIS installer (#8059)

https://github.com/electron-userland/electron-builderMike MaiettaFeb 20, 2024via ghsa

commit

2 files changed · +8 −3

.changeset/large-trainers-enjoy.md+5 −0 added

@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+fix: execute %SYSTEMROOT% cmd.exe directly during NSIS installer

packages/app-builder-lib/templates/nsis/include/allowOnlyOneInstallerInstance.nsh+3 −3 modified

@@ -42,7 +42,7 @@
     ${nsProcess::FindProcess} "${_FILE}" ${_ERR}
   !else
     # find process owned by current user
-    nsExec::Exec `cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq ${_FILE}" /FO csv | %SYSTEMROOT%\System32\find.exe "${_FILE}"`
+    nsExec::Exec `%SYSTEMROOT%\System32\cmd.exe /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq ${_FILE}" /FO csv | %SYSTEMROOT%\System32\find.exe "${_FILE}"`
     Pop ${_ERR}
   !endif
 !macroend
@@ -73,7 +73,7 @@
       !ifdef INSTALL_MODE_PER_ALL_USERS
         nsExec::Exec `taskkill /im "${APP_EXECUTABLE_FILENAME}" /fi "PID ne $pid"`
       !else
-        nsExec::Exec `cmd /c taskkill /im "${APP_EXECUTABLE_FILENAME}" /fi "PID ne $pid" /fi "USERNAME eq %USERNAME%"`
+        nsExec::Exec `%SYSTEMROOT%\System32\cmd.exe /c taskkill /im "${APP_EXECUTABLE_FILENAME}" /fi "PID ne $pid" /fi "USERNAME eq %USERNAME%"`
       !endif
       # to ensure that files are not "in-use"
       Sleep 300
@@ -91,7 +91,7 @@
           !ifdef INSTALL_MODE_PER_ALL_USERS
             nsExec::Exec `taskkill /f /im "${APP_EXECUTABLE_FILENAME}" /fi "PID ne $pid"`
           !else
-            nsExec::Exec `cmd /c taskkill /f /im "${APP_EXECUTABLE_FILENAME}" /fi "PID ne $pid" /fi "USERNAME eq %USERNAME%"`
+            nsExec::Exec `%SYSTEMROOT%\System32\cmd.exe /c taskkill /f /im "${APP_EXECUTABLE_FILENAME}" /fi "PID ne $pid" /fi "USERNAME eq %USERNAME%"`
           !endif
           !insertmacro FIND_PROCESS "${APP_EXECUTABLE_FILENAME}" $R0
           ${If} $R0 == 0

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-r4pf-3v7r-hh55ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-27303ghsaADVISORY
github.com/electron-userland/electron-builder/commit/8f4acff3c2d45c1cb07779bb3fe79644408ee387ghsax_refsource_MISCWEB
github.com/electron-userland/electron-builder/pull/8059ghsax_refsource_MISCWEB
github.com/electron-userland/electron-builder/security/advisories/GHSA-r4pf-3v7r-hh55ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000