CVE-2023-23623 Overview
CVE-2023-23623 is a security control bypass in Electron, the framework for building cross-platform desktop applications with JavaScript, HTML, and CSS. A Content-Security-Policy (CSP) directive that disables eval is not honored in renderer processes when sandbox: false is set in the webPreferences object. Affected renderers continue to permit eval() and new Function() even when the script-src directive omits unsafe-eval. The flaw expands the attack surface available to adversaries who can inject script into an Electron renderer. It affects Electron 22.x and 23.x release lines and is fixed in 22.0.1 and 23.0.0-alpha.2.
Critical Impact
Attackers who achieve script injection in a sandbox-disabled renderer can execute arbitrary JavaScript through eval() despite an application's CSP, escalating injection bugs into broader code execution paths.
Affected Products
- Electron 22.0.0 (including beta1 through beta8)
- Electron 23.0.0-alpha1
- Applications built on Electron 22.x or 23.x that set sandbox: false in webPreferences
Discovery Timeline
- 2023-09-06 - CVE-2023-23623 published to the National Vulnerability Database
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-23623
Vulnerability Analysis
Electron renderer processes execute web content using Chromium. Content-Security-Policy is the primary browser-level control that restricts which script sources may execute and whether dynamic code evaluation is permitted. Applications commonly omit unsafe-eval from script-src to block eval() and the Function constructor, which are frequent sinks in client-side injection attacks.
In Electron 22.x and the early 23.x preview line, that CSP directive is silently ignored in renderers configured with sandbox: false. The Node.js-integrated execution path that runs alongside such renderers does not enforce the CSP eval restriction. An attacker who lands a script injection in this context can therefore reach eval() and new Function() even when the developer believed CSP had locked those primitives down.
This is a control-flow management weakness tracked under CWE-670. The classification reflects that the renderer takes an alternate, less-restricted execution path that the policy author did not anticipate.
Root Cause
The CSP enforcement logic for the unsafe-eval source expression is tied to the sandboxed renderer path. When sandbox: false is configured, the renderer follows a code path that does not consult the application's script-src directive before permitting dynamic code evaluation. Defense-in-depth assumptions made at the CSP layer are therefore broken.
Attack Vector
Exploitation requires an injection primitive in the renderer. A typical chain begins with a cross-site scripting flaw, an unsafe template binding, or untrusted data rendered into the DOM. Once script executes, the attacker calls eval() or constructs a function with new Function('...') to run payloads that should have been blocked. Because Electron renderers with sandbox: false often expose Node.js integration or contextBridge APIs, the secondary execution can pivot toward filesystem, process, or IPC abuse depending on application configuration.
No public proof-of-concept exploit is recorded, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the GitHub Security Advisory GHSA-gxh7-wv9q-fwfr for upstream technical detail.
Detection Methods for CVE-2023-23623
Indicators of Compromise
- Renderer processes spawned from Electron 22.x or 23.x binaries where the parent application configures sandbox: false.
- Unexpected child processes or file writes originating from an Electron renderer that should be confined by CSP.
- Outbound network connections from renderer processes to domains not referenced by the application's connect-src policy.
Detection Strategies
- Inventory Electron-based desktop applications and identify those shipping with electron runtime versions in the 22.0.0–22.0.0 and 23.0.0-alpha1 ranges.
- Inspect application source or unpacked app.asar archives for BrowserWindow constructions that pass sandbox: false or omit the sandbox key while disabling contextIsolation.
- Static-scan renderer code for dynamic evaluation sinks such as eval(, new Function(, setTimeout with string arguments, and setInterval with string arguments.
Monitoring Recommendations
- Log Electron renderer process creation, command-line arguments, and child process activity from endpoint telemetry.
- Alert on Electron applications loading remote content over HTTP or rendering untrusted user-supplied HTML into privileged renderers.
- Track Electron version strings reported by software inventory tools and flag deployments pinned to the affected 22.x or 23.x preview builds.
How to Mitigate CVE-2023-23623
Immediate Actions Required
- Upgrade Electron to 22.0.1 or later within the 22.x line, or to 23.0.0-alpha.2 or later within the 23.x line. Upgrading to the latest stable Electron release is recommended.
- Audit all BrowserWindow and webview configurations and set sandbox: true for every renderer that loads untrusted or remote content.
- Re-review script-src directives across the application and confirm that production renderers do not rely on eval() so that unsafe-eval can remain absent.
Patch Information
The upstream fix is delivered in Electron 22.0.1 and 23.0.0-alpha.2. Maintainers backported the CSP enforcement so that script-src without unsafe-eval is honored regardless of the renderer's sandbox state. Full advisory text is published at the Electron GitHub Security Advisory.
Workarounds
- Enable sandbox: true on every BrowserWindow and webview in the application as a complete mitigation when upgrading is not immediately possible.
- Remove all uses of eval(), new Function(), and string-based setTimeout/setInterval calls from renderer-side code to eliminate the dynamic evaluation sink.
- Restrict renderers to local, trusted content and disable Node.js integration in any window that must load remote resources.
# Configuration example: harden BrowserWindow creation in main.js
# const { BrowserWindow } = require('electron')
# const win = new BrowserWindow({
# webPreferences: {
# sandbox: true,
# contextIsolation: true,
# nodeIntegration: false
# }
# })
# win.loadFile('index.html')
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
