VYPR
← All advisories
High severityNVD Advisory· Published Jul 9, 2024· Updated Aug 2, 2024

Code Signing Bypass on Windows in electron-updater < 6.3.0-alpha.6

CVE-2024-39698

Description

electron-updater on Windows suffers from a signature verification bypass due to environment variable expansion in cmd.exe, allowing malicious updates to be executed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

electron-updater on Windows suffers from a signature verification bypass due to environment variable expansion in cmd.exe, allowing malicious updates to be executed.

Vulnerability

Overview

The vulnerability resides in windowsExecutableCodeSignatureVerifier.ts within the electron-updater package [1][2]. The signature verification routine for Windows passes a command through cmd.exe, which expands environment variables before execution. This allows an attacker to craft a malicious update that, via environment variable manipulation, causes verifySignature() to check the certificate of a legitimate file instead of the downloaded malicious file [3].

Exploitation

An attacker must first compromise the update manifest (e.g., via server compromise, man-in-the-middle attack, or cross-site scripting) to point the Electron app to a malicious update server [2]. Then, a crafted update with an invalid signature can be delivered. Due to the environment variable expansion, the signature check passes on a different file, while the malicious update is executed [3].

Impact

Successful exploitation allows arbitrary code execution within the context of the Electron application. The attacker can bypass signature validation and execute unsigned or maliciously signed payloads, leading to full compromise of the user's system under the app's privileges [1].

Mitigation

The issue is patched in electron-updater version 6.3.0-alpha.6 and later. The fix adds a validation step that compares the normalized literal path of the update file against the expected path, ensuring the verified file is the one actually downloaded [4]. Users should update to the latest version to mitigate this vulnerability.

References
  1. GitHub - electron-userland/electron-builder: A complete solution to package and build a ready for distribution Electron app with “auto update” support out of the box
  2. NVD - CVE-2024-39698
  3. electron-builder/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts at 140e2f0eb0df79c2a46e35024e96d0563355fc89 · electron-userland/electron-builder
  4. fix: verify LiteralPath of update file during windows signature verif… · electron-userland/electron-builder@ac2e6a2

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
electron-updaternpm
< 6.3.0-alpha.66.3.0-alpha.6

Affected products

2

Patches

2
2b80b01c4e9e
https://github.com/electron-userland/electron-buildervia osv
commit
ac2e6a25aa49

fix: verify LiteralPath of update file during windows signature verification (#8295)

https://github.com/electron-userland/electron-builderMike MaiettaJul 5, 2024via ghsa
commitPR #8295
2 files changed · +18 1
  • .changeset/nervous-carrots-begin.md+5 0 added
    @@ -0,0 +1,5 @@
+---
+"electron-updater": patch
+---
+
+fix: verify LiteralPath of update file during windows signature verification
  • packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts+13 1 modified
    @@ -2,6 +2,7 @@ import { parseDn } from "builder-util-runtime"
 import { execFile, execFileSync } from "child_process"
 import * as os from "os"
 import { Logger } from "./main"
+import * as path from "path"
 
 // $certificateInfo = (Get-AuthenticodeSignature 'xxx\yyy.exe'
 // | where {$_.Status.Equals([System.Management.Automation.SignatureStatus]::Valid) -and $_.SignerCertificate.Subject.Contains("CN=siemens.com")})
@@ -48,6 +49,18 @@ export function verifySignature(publisherNames: Array<string>, unescapedTempUpda
           }
           const data = parseOut(stdout)
           if (data.Status === 0) {
+            try {
+              const normlaizedUpdateFilePath = path.normalize(data.Path)
+              const normalizedTempUpdateFile = path.normalize(unescapedTempUpdateFile)
+              logger.info(`LiteralPath: ${normlaizedUpdateFilePath}. Update Path: ${normalizedTempUpdateFile}`)
+              if (normlaizedUpdateFilePath !== normalizedTempUpdateFile) {
+                handleError(logger, new Error(`LiteralPath of ${normlaizedUpdateFilePath} is different than ${normalizedTempUpdateFile}`), stderr, reject)
+                resolve(null)
+                return
+              }
+            } catch (error: any) {
+              logger.warn(`Unable to verify LiteralPath of update asset due to missing data.Path. Skipping this step of validation. Message: ${error.message ?? error.stack}`)
+            }
             const subject = parseDn(data.SignerCertificate.Subject)
             let match = false
             for (const name of publisherNames) {
@@ -96,7 +109,6 @@ function parseOut(out: string): any {
     // duplicates data.SignerCertificate (contains RawData)
     delete signerCertificate.SubjectName
   }
-  delete data.Path
   return data
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.