I have a question about an Jitsi Meet Electron RCE issue


I read this article related in RCE issue. (security-advisories/JSA-2020-0001.md at master · jitsi/security-advisories · GitHub)

I’m wondering if it’s an Electron problem or if it could be caused by a change in Jitsi Server in Jitsi Meet Electron.

If it is Electron’s problem, what should I do when developing a desktop app with Jitsi in a native language?
Or, if it’s the reason for the Jitsi Server change, will fixing the server’s address solve the problem?

It’s a combination. We used to dynamically download and execute JS code that had access to the main process. This results in RCE if someone puts some malicious code in their server, for example.

1 Like

Thank you for answer.

I have additional questions on this part.

Is the JS code received from the server because it uses an iframe?
If so, will the problem be solved if it is developed in a form that does not use iframe?

My question may not be accurate because I don’t know much about electron. Thank you for your understanding.

I have read about the vulnerability again.

If all the problems are caused by incorrect code on the modified server, is it okay to use a stable private server without allowing server address changes?

No, it was the downloading of external_api.js. It’s now bundled.

1 Like

We have shielded the app as much as we can, and a bogus server should now not be able to trigger RCE.

1 Like

Thank you!