CVE-2020-26272: Exposure of Resource to Wrong Sphere

January 28, 2021 (updated February 4, 2021)

In affected versions of Electron IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue.

References

nvd.nist.gov/vuln/detail/CVE-2020-26272
www.electronjs.org/releases/stable?version=9

Code Behaviors & Features

Detect and mitigate CVE-2020-26272 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →