CVE-2020-15215: Context isolation bypass in Electron
5.6
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.51211%
CWE
Published
10/6/2020
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
electron | npm | >= 8.0.0-beta.0, < 8.5.2 | 8.5.2 |
electron | npm | >= 9.0.0-beta.0, < 9.3.1 | 9.3.1 |
electron | npm | >= 10.0.0-beta.0, < 10.1.2 | 10.1.2 |
electron | npm | >= 11.0.0-beta.0, <= 11.0.0-beta.5 | 11.0.0-beta.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The key vulnerability stemmed from improper process_id handling in URLLoaderFactoryParams when web security was disabled. The OverrideURLLoaderFactoryParams function in ElectronBrowserClient was modified across all relevant commits to remove the process_id assignment logic, which directly correlates with the described context isolation bypass. This function would appear in profiler output during exploitation as it's where CORB settings and process associations were manipulated.