CVE-2023-44402: ASAR Integrity bypass via filetype confusion in electron

December 1, 2023 (updated September 18, 2024)

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

References

github.com/advisories/GHSA-7m48-wc93-9g85
github.com/electron/electron
github.com/electron/electron/pull/39788
github.com/electron/electron/security/advisories/GHSA-7m48-wc93-9g85
nvd.nist.gov/vuln/detail/CVE-2023-44402
www.electronjs.org/docs/latest/tutorial/fuses

Detect and mitigate CVE-2023-44402 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →