node-integration-enabled: Electron Applications - Cross-Site Scripting & Remote Code Execution

日期: 2025-08-01 | 影响软件: Electron | POC: 已公开

漏洞描述

Electron Applications is susceptible to remote code execution by way of cross-site scripting via nodeIntegration by calling require('child_process').exec('COMMAND');.

PoC代码[已公开]

id: node-integration-enabled

info:
  name: Electron Applications - Cross-Site Scripting & Remote Code Execution
  author: me9187
  severity: critical
  description: |
    Electron Applications is susceptible to remote code execution by way of cross-site scripting via nodeIntegration  by calling require('child_process').exec('COMMAND');.
  reference:
    - https://blog.yeswehack.com/yeswerhackers/exploitation/pentesting-electron-applications/
    - https://book.hacktricks.xyz/pentesting/pentesting-web/xss-to-rce-electron-desktop-apps
  tags: electron,file,nodejs,xss

file:
  - extensions:
      - all
    matchers:
      - type: word
        words:
          - "nodeIntegration: true"
# digest: 4b0a00483046022100a4de0131fb3858ce97cd9b81ddee915682a26e502382538cd9337fd214dedafd022100ac570647986eb2d47f7b7f5501c4b3772ed7e9e40347d2ffb9640a049497ec48:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./file/electron/node-integration-enabled.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐