Reported on

Sep 12th 2021

✍️ Description

Attackers can execute malicious code on users computers using Google Voice Desktop App provided that users click on a malicious hyperlink in the app itself

🕵️‍♂️ Proof of Concept

  1. Host the following index.html on a web server
  1. Users who click on the hyperlink[WEB_SERVER]/index.html in the Desktop App (via someone messaging them the link) will execute require('child_process').exec('calc'), which will open the calculator app on the computer.

💥 Impact

This vulnerability is capable of code execution via visiting malicious hyperlink in the application

Recommended Fix

The vulnerability exists because nodeIntegration is set to true so whatever that is embedded in a <script> tag on a webpage will get executed in Node. In addition in only checks if the URL starts with, however example URL actually resolves to webserver.local, but it bypasses the check above. Recommended fix for this is to use NodeJS url.parse and check if host == "" or "", a better fix (if possible, ) would be to disable nodeIntegration entirely.

📍 Location main.js#L147-L149

We created a GitHub Issue asking the maintainers to create a 2 years ago
haxatron modified the report
2 years ago
haxatron modified the report
2 years ago
2 years ago


@admin maintainer email is

I think the bot couldn't detect email format listed in the

haxatron modified the report
2 years ago
2 years ago


Hey haxatron, thanks for the heads up. I've emailed the maintainer for you.

We have contacted a member of the jerrod-lankford/google-voice-desktop-app team and are waiting to hear back 2 years ago
Jerrod Lankford
2 years ago


Sorry i messed up my email in the Its fixed. I also took care of the vulnerability by parsing the url as suggested. Unfortunately i can't remove node integration. Thanks for letting me know

2 years ago


Hi there, thanks for fixing the vulnerability! Could you validate this report?

Jerrod Lankford validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jerrod Lankford marked this as fixed with commit 4d9fcf 2 years ago
Jerrod Lankford has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation