CVE-2023-29198: Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps using `contextIsolation...

Description

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps using `contextIsolation` and `contextBridge` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. This issue is only exploitable if an API exposed to the main world via `contextBridge` can return an object or array that contains a javascript object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown `Error: object could not be cloned`. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported. This issue has been fixed in versions `25.0.0-alpha.2`, `24.0.1`, `23.2.3`, and `22.3.6`.

Metrics

CVSS 3.1

8.5/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

0.49%

38.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Electronjs	Electron	< 22.3.6	—
Electronjs	Electron	>= 23.0.0, < 23.2.3	—
Electronjs	Electron	24.0.0	—
Electronjs	Electron	25.0.0	Alpha1

References

https://github.com/electron/electron/security/advisories/GHSA-p7v2-p9m8-qqg7Mitigation, Vendor Advisory
https://www.electronjs.org/docs/latest/api/context-bridge#parameter--error--return-type-supportProduct
https://github.com/electron/electron/security/advisories/GHSA-p7v2-p9m8-qqg7Mitigation, Vendor Advisory
https://www.electronjs.org/docs/latest/api/context-bridge#parameter--error--return-type-supportProduct

Timeline

Published: Sep 6, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-29198?

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps using `contextIsolation` and `contextBridge` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. This issue is only exploitable if an API exposed to the main world via `contextBridge` can return an object or array that contains a javascript object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown `Error: object could not be cloned`. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported. This issue has been fixed in versions `25.0.0-alpha.2`, `24.0.1`, `23.2.3`, and `22.3.6`.

How severe is CVE-2023-29198?

CVE-2023-29198 has a CVSS score of 8.5/10 (HIGH severity). The EPSS model estimates a 0.49% probability of exploitation in the next 30 days.

How do I fix CVE-2023-29198?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.