6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-44402

GHSA ID

GHSA-7m48-wc93-9g85

EPSS Score

0.31041%

CWE

CWE-345

Published

12/1/2023

Updated

9/18/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-44402

CVE-2023-44402:
ASAR Integrity bypass via filetype confusion in electron

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

27.0.0-alpha.7
26.2.1
25.8.1
24.8.3
22.3.24

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-44402

GHSA ID

GHSA-7m48-wc93-9g85

EPSS Score

0.31041%

CWE

CWE-345

Published

12/1/2023

Updated

9/18/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
electron	npm	< 22.3.24	22.3.24
electron	npm	>= 24.0.0-alpha.1, < 24.8.3	24.8.3
electron	npm	>= 25.0.0-alpha.1, < 25.8.1	25.8.1
electron	npm	>= 26.0.0-alpha.1, < 26.2.1	26.2.1
electron	npm	>= 27.0.0-alpha.1, < 27.0.0-alpha.7	27.0.0-alpha.7
electron	npm	>= 23.0.0-alpha.1, <= 23.3.13

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper validation of ASAR file integrity. The GitHub PR #39788 fix explicitly addresses this by ensuring loaded files are actual ASAR archives, not just files with .asar extensions. The ElectronMain function in electron_main.cc is the entry point for app initialization and ASAR handling. The vulnerability occurred because this function (or its dependencies) checked the file path extension but not the file's actual content structure. The fix adds validation of the ASAR magic bytes, indicating the original code lacked this critical check. This matches the CWE-345 (Insufficient Verification of Data Authenticity) classification in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is only imp**ts *pps t**t **v* t** `*m*******s*rInt**rityV*li**tion` *n* `onlyLo***pp*rom*s*r` [*us*s](*ttps://www.*l**tronjs.or*/*o*s/l*t*st/tutori*l/*us*s) *n**l**. *pps wit*out t**s* *us*s *n**l** *r* not imp**t**. T*is issu* is sp*

Reasoning

T** vuln*r**ility st*ms *rom improp*r `v*li**tion` o* *S*R *il* int**rity. T** *it*u* PR #***** *ix *xpli*itly ***r*ss*s t*is *y *nsurin* lo**** *il*s *r* **tu*l *S*R *r**iv*s, not just *il*s wit* `.*s*r` *xt*nsions. T** `*l**tronM*in` *un*tion in `*

6.1

Basic Information

Concerned about an active attack path?

CVE-2023-44402: ASAR Integrity bypass via filetype confusion in electron

Impact

Workarounds

Fixed Versions

For more information

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-44402:
ASAR Integrity bypass via filetype confusion in electron

Vulnerability Intelligence
Miggo AI