CVE-2024-29900

Description

Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory _could_ contain sensitive information such as environment variables, secrets files, etc. This issue is patched in 18.3.1.

CVSS v3.1 Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weakness Type (CWE)

CWE-402 CWE-402

Affected Products

Vendor	Product	Versions
openjsf	packager	All

References

Advisories & Patches

https://github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee https://github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57 https://github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee https://github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57

Frequently Asked Questions

What is CVE-2024-29900? +

Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory _could_ contain sensitive information such as environment variables, secrets files, etc. This issue is patched in 18.3.1. It has a CVSS v3.1 base score of 7.5 (HIGH).

How severe is CVE-2024-29900? +

CVE-2024-29900 has a CVSS v3.1 score of 7.5 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.

What products are affected by CVE-2024-29900? +

CVE-2024-29900 affects products from openjsf, specifically: packager. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2024-29900? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-0502 9.1

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 …

CVE-2025-48383 8.2

Django-Select2 is a Django integration for Select2. Prior to version 8.4.1, instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget …

CVE-2025-67745 7.1

MyHoard is a daemon for creating, managing and restoring MySQL backups. Starting in version 1.0.1 and prior to version 1.3.0, …

CVE-2024-47146 6.5

Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to obtain the devices serial …

CVE-2025-49618 5.8

In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.

CVE-2024-0443 5.5

A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio …