Fixing Insecure Electron Configuration

[kobs0N]

Insecure Electron Renderer Configuration Leading to RCE

Severity: Critical
Category: Insecure Configuration / Privilege Escalation
Affected Component: Electron Renderer Process

Description:

The application’s Electron renderer process is configured with multiple insecure webPreferences,:

nodeIntegration: true
contextIsolation: false
enableRemoteModule: true

This configuration allows JavaScript executed in the renderer process to directly access Node.js APIs, including child_process, fs, and IPC mechanisms.

Impact

Any arbitrary JavaScript execution in the renderer (e.g., via future XSS, unsafe rendering of untrusted input, compromised dependencies, or developer tools exposure) would immediately escalate into full Remote Code Execution (RCE) on the host system.

Proof of Concept

From the renderer DevTools console:

require('child_process').exec('calc.exe')

This successfully executes a system command, demonstrating that the renderer process has unrestricted access to Node.js.

Risk

While no direct XSS vector was identified during testing, the current configuration eliminates Electron’s security boundaries. As a result, any future renderer-level injection would lead to complete system compromise.

Recommendation

• Disable nodeIntegration
• Enable contextIsolation
• Remove usage of remote
• Use a restricted preload.js with contextBridge
• Apply Electron’s official security guidelines