electron-updater is vulnerable to Path Traversal
59
Medium Risk
The auto-update flow in electron-updater derives the cached update file name from the server-supplied download URL. When the URL path does not end with the expected installer extension, the fallback branch in getCacheUpdateFileName returns the raw URL string without applying path.basename, and the value is joined onto the update cache directory. An attacker who controls the update feed metadata can supply a crafted path that escapes the cache directory and writes the downloaded artifact to an arbitrary filesystem location, which the updater then acts on. The fix applies path.basename to the fallback branch so the cached file name can no longer traverse outside the cache directory.
You are affected if you are using a version that falls within the vulnerable range and your application uses the auto-update flow.
electron-updater is vulnerable to Path Traversal in versions 6.1.1 - 6.8.7.
Upgrade the electron-updater library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant