6.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29257

GHSA ID

GHSA-77xc-hjv8-ww97

EPSS Score

0.60761%

CWE

CWE-20

Published

6/16/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-29257

CVE-2022-29257: AutoUpdater module fails to validate certain nested components of the bundle

Impact

This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.

Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.

Patches

This has been patched and the following Electron versions contain the fix:

18.0.0-beta.6
17.2.0
16.2.0
15.5.0

Workarounds

There are no workarounds for this issue, please update to a patched version of Electron.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

(GitHub Advisory)

6.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29257

GHSA ID

GHSA-77xc-hjv8-ww97

EPSS Score

0.60761%

CWE

CWE-20

Published

6/16/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
electron	npm	< 15.5.0	15.5.0
electron	npm	>= 16.0.0, < 16.2.0	16.2.0
electron	npm	>= 17.0.0, < 17.2.0	17.2.0
electron	npm	>= 18.0.0-beta.1, <= 18.0.0-beta.5	18.0.0-beta.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper code signing validation of nested components in macOS update bundles. Electron's AutoUpdater relies on Squirrel.Mac's SUCodeSigningVerifier, which prior to the patch did not use the --deep flag or equivalent recursive validation when checking code signatures. This allowed attackers to embed malicious code in nested components that would pass top-level validation. The CWE-20 (Improper Input Validation) classification and macOS-specific advisory context align with this root cause. The patched versions likely introduced recursive validation via codesign --deep or similar mechanisms.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility *llows *tt**k*rs w*o **v* *ontrol ov*r * *iv*n *pps up**t* s*rv*r / up**t* stor*** to s*rv* m*li*iously *r**t** up**t* p**k***s t**t p*ss t** *o** si*nin* v*li**tion ****k *ut *ont*in m*li*ious *o** in som* *ompon*nts.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *o** si*nin* v*li**tion o* n*st** *ompon*nts in m**OS up**t* *un*l*s. *l**tron's *utoUp**t*r r*li*s on Squirr*l.M**'s SU*o**Si*nin*V*ri*i*r, w*i** prior to t** p*t** *i* not us* t** `--***p` *l** or *quiv*l*nt r*

6.6

Basic Information

Concerned about an active attack path?

CVE-2022-29257: AutoUpdater module fails to validate certain nested components of the bundle

Impact

Patches

Workarounds

For more information

6.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI