-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| electron | npm | < 22.3.25 | 22.3.25 |
| electron | npm | >= 24.0.0, < 24.8.5 | 24.8.5 |
| electron | npm | >= 25.0.0, < 25.8.4 | 25.8.4 |
| electron | npm | >= 26.0.0, < 26.2.4 | 26.2.4 |
| electron | npm | >= 27.0.0-alpha.1, < 27.0.0-beta.8 | 27.0.0-beta.8 |
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe CVE-2023-5217 fix in libvpx commit 3fbd1dca6a4d2dad332a2110d646e4ffef36d590 specifically modifies vp8_change_config() to prevent thread count changes after encoder creation. Electron's patches incorporate this fix. The vulnerability occurs when reconfiguring thread counts post-initialization, causing heap corruption due to pre-allocated resources. The function's lack of thread change validation before the patch directly matches the described heap buffer overflow scenario.
Ongoing coverage of React2Shell