CVE-2021-39184
Published:October 12, 2021
Updated:May 17, 2026
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling "contextIsolation" in one's app. One may also disable the functionality of the "createThumbnailFromPath" API if one does not need it.
Affected Packages
electron (NPM):
Affected version(s) >=13.0.0 <13.3.0Fix Suggestion:
Update to version 13.3.0electron (NPM):
Affected version(s) >=12.0.0 <12.1.0Fix Suggestion:
Update to version 12.1.0electron (NPM):
Affected version(s) >=0.1.0 <11.5.0Fix Suggestion:
Update to version 11.5.0Additional Notes
The description of this vulnerability differs from MITRE.
Related Resources (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.8
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
EPSS
Base Score:
0.37