CVE-2023-23623: 
JavaScript vulnerability analysis and mitigation

Electron, a framework for building cross-platform desktop applications using JavaScript, HTML, and CSS, was found to have a security vulnerability (CVE-2023-23623) affecting versions 22 and 23. The vulnerability was discovered when a Content-Security-Policy that disables eval through script-src directive (without unsafe-eval) was not properly enforced in renderers with sandbox disabled (GitHub Advisory, NVD).

The vulnerability allows the usage of methods like eval() and new Function unexpectedly in renderers where sandbox is set to false in the webPreferences object. This bypass of Content-Security-Policy restrictions occurs specifically when sandbox and contextIsolation are disabled. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NVD and 7.5 (HIGH) by GitHub, indicating its severe nature (NVD).

The vulnerability results in an expanded attack surface by allowing the execution of potentially malicious code through eval() and new Function methods, which should have been blocked by the Content-Security-Policy. This could lead to unauthorized code execution within the application context (GitHub Advisory).

The issue has been fixed in Electron versions 22.0.1 and 23.0.0-alpha.2. If upgrading isn't possible, the vulnerability can be mitigated by enabling sandbox: true or contextIsolation: true on all renderers. It is recommended that all applications upgrade to the latest stable version of Electron (GitHub Advisory).