Reported on

Sep 12th 2021

✍️ Description

Attackers can execute malicious code on users computers using Google Voice Desktop App provided that users click on a malicious hyperlink in the app itself

🕵️‍♂️ Proof of Concept

  1. Host the following index.html on a web server
  1. Users who click on the hyperlink[WEB_SERVER]/index.html in the Desktop App (via someone messaging them the link) will execute require('child_process').exec('calc'), which will open the calculator app on the computer.

💥 Impact

This vulnerability is capable of code execution via visiting malicious hyperlink in the application

Recommended Fix

The vulnerability exists because nodeIntegration is set to true so whatever that is embedded in a <script> tag on a webpage will get executed in Node. In addition in only checks if the URL starts with, however example URL actually resolves to webserver.local, but it bypasses the check above. Recommended fix for this is to use NodeJS url.parse and check if host == "" or "", a better fix (if possible, ) would be to disable nodeIntegration entirely.

📍 Location main.js#L147-L149

We created a GitHub Issue asking the maintainers to create a a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
a year ago


@admin maintainer email is

I think the bot couldn't detect email format listed in the

haxatron modified the report
a year ago
a year ago


Hey haxatron, thanks for the heads up. I've emailed the maintainer for you.

We have contacted a member of the jerrod-lankford/google-voice-desktop-app team and are waiting to hear back a year ago
Jerrod Lankford
a year ago


Sorry i messed up my email in the Its fixed. I also took care of the vulnerability by parsing the url as suggested. Unfortunately i can't remove node integration. Thanks for letting me know

a year ago


Hi there, thanks for fixing the vulnerability! Could you validate this report?

Jerrod Lankford validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jerrod Lankford confirmed that a fix has been merged on 4d9fcf a year ago
Jerrod Lankford has been awarded the fix bounty
to join this conversation