[NPM:GHSA-34H3-8MW4-QW57] @electron/packager's build process memory potentially leaked into final executable

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

Impact

A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory could contain sensitive information such as environment variables, secrets files, etc.

Patches

This issue is patched in 18.3.1

Workarounds

No workarounds, please update to a patched version of @electron/packager immediately if impacated.

Package	Affected Version
pkg:npm/%40electron/packager	= 18.3.0

Package	Fixed Version
pkg:npm/%40electron/packager	= 18.3.1

ID: NPM:GHSA-34H3-8MW4-QW57
Severity: high
URL: https://github.com/advisories/GHSA-34h3-8mw4-qw57
Published: 2024-03-29T20:16:22
(3 months ago)
Modified: 2024-03-29T20:16:23
(3 months ago)
Rights: NPM Security Team

Source	# ID	Name	URL
			https://github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57
			https://nvd.nist.gov/vuln/detail/CVE-2024-29900
			https://github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee
			https://github.com/advisories/GHSA-34h3-8mw4-qw57

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:npm/%40electron/packager	@electron	packager	= 18.3.0
Fixed	pkg:npm/%40electron/packager	@electron	packager	= 18.3.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date