CVE-2024-29900: @electron/packager's build process memory potentially leaked into final executable

March 29, 2024

A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory could contain sensitive information such as environment variables, secrets files, etc.

References

github.com/advisories/GHSA-34h3-8mw4-qw57
github.com/electron/packager
github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee
github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57
nvd.nist.gov/vuln/detail/CVE-2024-29900

Detect and mitigate CVE-2024-29900 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →