EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
electron📦electron📦electronReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.
Description
GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | electron | ≥ 1.7.0&&< 1.7.11 | 1.7.11 |
| 📦npm | electron | ≥ 1.6.0&&< 1.6.16 | 1.6.16 |
| 📦npm | electron | ≥ 1.8.0&&< 1.8.2-beta.4 | 1.8.2-beta.4 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
Exodus Wallet (ElectronJS Framework) - Remote Code Execution
by Wflki · Jan 25, 2018
Exodus Wallet (ElectronJS Framework) - Remote Code Execution (Metasploit)
by Metasploit · Mar 29, 2018
Frequently Asked Questions
Is CVE-2018-1000006 in your stack?
O3 detects CVE-2018-1000006 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.