CVE-2024-27303

Description

### Impact Windows-Only: The NSIS installer makes a system call to open cmd.exe via NSExec in the `.nsh` installer script. NSExec by default searches the current directory of where the installer is located before searching `PATH`. This means that if an attacker can place a malicious executable file named cmd.exe in the same folder as the installer, the installer will run the malicious file. ### Patches Fixed in https://github.com/electron-userland/electron-builder/pull/8059 ### Workarounds None, it executes at the installer-level before the app is present on the system, so there's no way to check if it exists in a current installer. ### References https://cwe.mitre.org/data/definitions/426.html https://cwe.mitre.org/data/definitions/427

How to fix CVE-2024-27303

To remediate CVE-2024-27303, upgrade the affected package to a fixed version below.

• —upgrade to 24.13.2 or later

Is CVE-2024-27303 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 24.13.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-27303
• PATCHgithub.com/electron-userland/electron-builder
• WEBgithub.com/electron-userland/electron-builder/commit/8f4acff3c2d45c1cb07779bb3fe79644408ee387
• WEBgithub.com/electron-userland/electron-builder/pull/8059