{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-46993", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-16T16:10:09.019Z", "datePublished": "2025-07-01T01:55:51.242Z", "dateUpdated": "2025-07-02T13:25:00.677Z"}, "containers": {"cna": {"title": "Electron Vulnerable to Heap Buffer Overflow in NativeImage::CreateFromPath", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/electron/electron/security/advisories/GHSA-6r2x-8pq8-9489", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/electron/electron/security/advisories/GHSA-6r2x-8pq8-9489"}], "affected": [{"vendor": "electron", "product": "electron", "versions": [{"version": "< 28.3.2", "status": "affected"}, {"version": ">= 29.0.0-alpha.1, < 29.3.3", "status": "affected"}, {"version": ">= 30.0.0-alpha.1, < 30.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-01T01:55:51.242Z"}, "descriptions": [{"lang": "en", "value": "Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 28.3.2, 29.3.3, and 30.0.3, the nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. This issue has been patched in versions 28.3.2, 29.3.3, and 30.0.3. There are no workarounds for this issue."}], "source": {"advisory": "GHSA-6r2x-8pq8-9489", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-01T13:45:02.755204Z", "id": "CVE-2024-46993", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:25:00.677Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-46993", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-01T13:45:02.755204Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-01T13:47:01.069Z"}}], "cna": {"title": "Electron Vulnerable to Heap Buffer Overflow in NativeImage::CreateFromPath", "source": {"advisory": "GHSA-6r2x-8pq8-9489", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "electron", "product": "electron", "versions": [{"status": "affected", "version": "< 28.3.2"}, {"status": "affected", "version": ">= 29.0.0-alpha.1, < 29.3.3"}, {"status": "affected", "version": ">= 30.0.0-alpha.1, < 30.0.3"}]}], "references": [{"url": "https://github.com/electron/electron/security/advisories/GHSA-6r2x-8pq8-9489", "name": "https://github.com/electron/electron/security/advisories/GHSA-6r2x-8pq8-9489", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 28.3.2, 29.3.3, and 30.0.3, the nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. This issue has been patched in versions 28.3.2, 29.3.3, and 30.0.3. There are no workarounds for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-01T01:55:51.242Z"}}}, "cveMetadata": {"cveId": "CVE-2024-46993", "state": "PUBLISHED", "dateUpdated": "2025-07-02T13:25:00.677Z", "dateReserved": "2024-09-16T16:10:09.019Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-01T01:55:51.242Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 28.3.2, 29.3.3, and 30.0.3, the nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. This issue has been patched in versions 28.3.2, 29.3.3, and 30.0.3. There are no workarounds for this issue."}, {"lang": "es", "value": "Electron es un framework de c\u00f3digo abierto para desarrollar aplicaciones de escritorio multiplataforma con JavaScript, HTML y CSS. En versiones anteriores a la 28.3.2, 29.3.3 y 30.0.3, las funciones nativeImage.createFromPath() y nativeImage.createFromBuffer() invocan una funci\u00f3n dependiente que es vulnerable a un desbordamiento de b\u00fafer en el mont\u00f3n. Un programa Electron que utilice cualquiera de las funciones afectadas es vulnerable a un desbordamiento de b\u00fafer si un atacante controla la altura, el ancho y el contenido de la imagen. Este problema se ha corregido en las versiones 28.3.2, 29.3.3 y 30.0.3. No existen soluciones alternativas."}], "id": "CVE-2024-46993", "lastModified": "2025-07-03T15:14:12.767", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-07-01T03:15:21.020", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/electron/electron/security/advisories/GHSA-6r2x-8pq8-9489"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"created": "2025-07-06T22:16:25.016207+00:00", "updated": "2025-07-06T22:16:25.016255+00:00", "vendors": ["electron", "electron$PRODUCT$electron"]}