CVE-2014-9733 – This vulnerability in nw.js (formerly node-webk... (How to Fix)

Q: What is the severity of CVE-2014-9733?

CVE-2014-9733 has a CVSS score of 9.8 (CRITICAL). This vulnerability in nw.js (formerly node-webkit) allows remote attackers to simulate user input events in normal frames, potentially enabling unauthorized actions. It affects applications built with nw.js versions before 0.11.5. Attackers could exploit this to perform actions on behalf of users without their consent.

📋 TL;DR

This vulnerability in nw.js (formerly node-webkit) allows remote attackers to simulate user input events in normal frames, potentially enabling unauthorized actions. It affects applications built with nw.js versions before 0.11.5. Attackers could exploit this to perform actions on behalf of users without their consent.

💻 Affected Systems

Products:

nw.js (formerly node-webkit)

Versions: All versions before 0.11.5

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all applications built with vulnerable nw.js versions regardless of configuration.

📦 What is this software?

Nw.js by Nwjs

View all CVEs affecting Nw.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the application allowing remote code execution, data theft, or unauthorized system access depending on application functionality.

🟠

Likely Case

Unauthorized actions within the application such as clicking buttons, submitting forms, or navigating to malicious sites without user interaction.

🟢

If Mitigated

Limited impact if application runs in sandboxed environment with minimal privileges and input validation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability description suggests remote exploitation via unknown vectors, indicating potential for easy exploitation once vectors are discovered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.11.5 and later

Vendor Advisory: https://github.com/nwjs/nw.js/blob/nw11/CHANGELOG.md

Restart Required: Yes

Instructions:

1. Update nw.js to version 0.11.5 or later. 2. Rebuild your application with the updated nw.js version. 3. Redeploy the updated application to all affected systems.

🔧 Temporary Workarounds

Application Sandboxing

all

Run nw.js applications in restricted environments with minimal privileges

Network Segmentation

all

Isolate nw.js applications from untrusted networks and internet access

🧯 If You Can't Patch

Isolate affected applications in network segments with no internet access
Implement application-level input validation and event filtering

🔍 How to Verify

Check if Vulnerable:

Check nw.js version in application dependencies or runtime. Versions below 0.11.5 are vulnerable.

Check Version:

Check package.json for nw.js version or run application with --version flag if supported

Verify Fix Applied:

Verify nw.js version is 0.11.5 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unexpected user input events
Application behavior without user interaction
Suspicious frame interactions

Network Indicators:

Unusual outbound connections from nw.js applications
Requests to unexpected domains

SIEM Query:

Process execution where process_name contains 'nw' AND version < '0.11.5'

📊 Metadata

CVE ID: CVE-2014-9733

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: October 17, 2017

Last Updated: April 20, 2025

🔗 References

https://github.com/nwjs/nw.js/blob/nw11/CHANGELOG.md Release Notes,Third Party Advisory
https://github.com/nwjs/nw.js/blob/nw11/CHANGELOG.md Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2014-9733, you might also want to check these: