Saltar al contenido principal

Protocol Handler Vulnerability Fix

· 2 lectura mínima

A remote code execution vulnerability has been discovered affecting Electron apps that use custom protocol handlers. This vulnerability has been assigned the CVE identifier CVE-2018-1000006.

Plataformas afectadas

Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API.

macOS and Linux are not vulnerable to this issue.


We've published new versions of Electron which include fixes for this vulnerability: 1.8.2-beta.5, 1.7.12, and 1.6.17. We urge all Electron developers to update their apps to the latest stable version immediately.

Si por alguna razón no puede actualizar su versión de Electron puedes añadir -- como último argumento al llamar a aplicación. etAsDefaultProtocolClient, que evita que Chromium analice más opciones. The double dash -- signifies the end of command options, after which only positional parameters are accepted.

app.setAsDefaultProtocolClient(protocol, process.execPath, [

Vea la app.setAsDefaultProtocolent API para más detalles.

Para obtener más información sobre las mejores prácticas para mantener sus aplicaciones Electron seguras, vea nuestro tutorial de seguridad.

If you wish to report a vulnerability in Electron, email