GHSA-q43m-ffwr-rpcc
GitHub Security Advisory
SSL Validation Defaults to False in electron-packager
Advisory Details
Affected versions of `electron-packager` configure the generated application to disable SSL certificate verification by default.
This could allow an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one.
This only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.
## Recommendation
1. Update to version 7.0.0 or later.
2. Delete the `electron-download` cache folder, which is by default located at `~/.electron`.
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.