@electron/packager's build process memory potentially leaked into final executable
Description
Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory _could_ contain sensitive information such as environment variables, secrets files, etc. This issue is patched in 18.3.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Electron Packager before 18.3.1 leaks 1-10KB of Node.js heap memory into packaged executables, potentially exposing sensitive data like environment variables.
Vulnerability
Overview
CVE-2024-29900 describes a memory disclosure vulnerability in Electron Packager, a tool that bundles Electron application source code into distributable executables. During the packaging process, a random segment of approximately 1-10 KB of Node.js heap memory allocated adjacent to a known buffer is inadvertently included in the final executable [1]. The root cause, as shown in the fix commit, involves improper handling of the integrity buffer where the original code directly serialized the asarIntegrity object without first extracting and filtering the necessary fields, leading to the inclusion of extraneous heap memory [4].
Exploitation
The vulnerability is exploitable by anyone who obtains a packaged executable created by an affected version of Electron Packager. No authentication or special network position is required; an attacker can simply analyze the binary file to extract the leaked memory region. The leaked data is a contiguous block of heap memory that may contain sensitive information such as environment variables, secrets files, or other in-memory data [3].
Impact
If an attacker successfully extracts the leaked memory, they could gain access to sensitive information that was present in the Node.js heap at the time of packaging. This could include API keys, database credentials, or other secrets, potentially leading to further compromise of the application or its associated services [1][3].
Mitigation
The issue is patched in Electron Packager version 18.3.1. According to the security advisory, there are no workarounds; users must update to the patched version immediately to prevent exposure [3]. The fix ensures that only the necessary integrity data is written to the executable, eliminating the heap memory leak [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@electron/packagernpm | >= 18.3.0, < 18.3.1 | 18.3.1 |
Affected products
3- Range: <18.3.1
- electron/packagerv5Range: = 18.3.0
Patches
1d421d4bd3cedfix: do not deref the integrity buffer (#1699)
1 file changed · +8 −3
src/resedit.ts+8 −3 modified@@ -116,10 +116,15 @@ export async function resedit(exePath: string, options: ExeMetadata) { // Asar Integrity if (options.asarIntegrity) { + const integrityList = Object.keys(options.asarIntegrity).map((file) => ({ + file, + alg: options.asarIntegrity![file].algorithm, + value: options.asarIntegrity![file].hash, + })); res.entries.push({ - type: 'Integrity', - id: 'ElectronAsar', - bin: Buffer.from(JSON.stringify(options.asarIntegrity)).buffer, + type: 'INTEGRITY', + id: 'ELECTRONASAR', + bin: Buffer.from(JSON.stringify(integrityList), 'utf-8'), lang: languageInfo[0].lang, codepage: languageInfo[0].codepage, });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-34h3-8mw4-qw57ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-29900ghsaADVISORY
- github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eeeghsax_refsource_MISCWEB
- github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.