CVE-2022-29257 Electron's AutoUpdater module fails to validate certain nested components of the bundle

Electron is a framework for writing cross-platform desktop applications using JavaScript JS, HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows attackers who have control over a given apps update server / update storage to serve maliciously crafte...

Signature Validation Bypass

Overview electron-updater is a module allowing applications to implement auto-update functionality. Affected versions of this package are vulnerable to Signature Validation Bypass. The signature verification check is based on a string comparison between the installed binary’s publisherName and th...