{"id":"CVE-2021-39184","details":"Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a \"thumbnail\" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling `contextIsolation` in one's app. One may also disable the functionality of the `createThumbnailFromPath` API if one does not need it.","aliases":["GHSA-mpjm-v997-c4h4"],"modified":"2026-04-11T12:34:40.889960Z","published":"2021-10-12T19:15:07.987Z","related":["GHSA-mpjm-v997-c4h4"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta10:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta10"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta11:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta11"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta12:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta12"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta13:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta13"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta14:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta14"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta15:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta15"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta16:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta16"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta17:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta17"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta18:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta18"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta19:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta19"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta1:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta1"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta20:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta20"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta21:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta21"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta22:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta22"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta23:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta23"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta24:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta24"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta25:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta25"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta2:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta2"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta3:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta3"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta4:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta4"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta5:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta5"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta6:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta6"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta7:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta7"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta8:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta8"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:14.0.0:beta9:*:*:*:*:*:*","extracted_events":[{"last_affected":"14.0.0-beta9"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:15.0.0:alpha1:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.0.0-alpha1"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:15.0.0:alpha2:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.0.0-alpha2"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:15.0.0:alpha3:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.0.0-alpha3"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:15.0.0:alpha4:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.0.0-alpha4"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:15.0.0:alpha5:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.0.0-alpha5"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:15.0.0:alpha6:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.0.0-alpha6"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:15.0.0:alpha7:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.0.0-alpha7"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:15.0.0:alpha8:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.0.0-alpha8"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:15.0.0:alpha9:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.0.0-alpha9"}]}]},"references":[{"type":"ADVISORY","url":"https://github.com/electron/electron/pull/30728"},{"type":"ADVISORY","url":"https://github.com/electron/electron/security/advisories/GHSA-mpjm-v997-c4h4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/electron/electron","events":[{"introduced":"1c3ebfdc30ab89b7a36acb16c964bdcb604c5730"},{"fixed":"3d0705d81fd8b829372a732577b5c275352a9da6"},{"introduced":"3ae63c9a06a4b5c9074572ee8b7137520fe4ba4e"},{"fixed":"ea234f9cb991bfbb0bd4bff7bdf7aba2dd726dfb"},{"introduced":"3651c0411f25def02573a29116f34dbf1d4f0508"},{"fixed":"5771f3826aef7cd8674aa02fb46a944570eee771"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"10.1.0"},{"fixed":"11.5.0"},{"introduced":"12.0.0"},{"fixed":"12.1.0"},{"introduced":"13.0.0"},{"fixed":"13.3.0"}]}}],"versions":["v12.0.0","v12.0.1","v12.0.10","v12.0.11","v12.0.12","v12.0.13","v12.0.14","v12.0.15","v12.0.16","v12.0.17","v12.0.18","v12.0.2","v12.0.3","v12.0.4","v12.0.5","v12.0.6","v12.0.7","v12.0.8","v12.0.9","v13.0.0","v13.0.1","v13.1.0","v13.1.1","v13.1.2","v13.1.3","v13.1.4","v13.1.5","v13.1.6","v13.1.7","v13.1.8","v13.1.9","v13.2.0","v13.2.1","v13.2.2","v13.2.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-39184.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}]}