This is probably a common flaw in a lot of applications with a lot of complexity layered below the main product.
Electron applications are a prime example of this, since there is a whole webbrowser underneath and HTML doing HTML things is expected behavior for the browser, but not the application above. One can probably attribute the whole log4j debacle to the same fault, in that the "common" developer is unable to understand all complexity and quirks their software ships with (difference being, that a browser engine is far more complex than a logger)
I remember a time where "Scrach" wasn't a Electron application, but a native (I think?) Linux application. Obv. there can be bugs in dependencies too (rsvg, libpng, etc.) but they different and tend to not be as easily exploitable as these kind of Electron/HTML->V8 bugs are.
Originally Scratch was a Smalltalk program and then in 2.0 it switched to Flash/Actionscript. So it has never really been "native". Although I'm not a big fan of Electron it does fit what the Scratch project needs perfectly as they need to be able to run Scratch in a web browser to reach more kids and schools. In this day and age HTML5/JS/CSS is the only way to do that. The fact that Electron lets them offer an offline editor is just a nice bonus.
This is one of my favourite class of vulnerabilities.
Many applications and saas products that deal with images are susceptible to this vector because often image handling isn't a core business just a means to an end, so isn't always given the priority or deference it deserves.
The SVG format by spec is a swiss army knife that contains all kinds of opportunities for leveraging poor handling of the data it can contain.
Electron applications are a prime example of this, since there is a whole webbrowser underneath and HTML doing HTML things is expected behavior for the browser, but not the application above. One can probably attribute the whole log4j debacle to the same fault, in that the "common" developer is unable to understand all complexity and quirks their software ships with (difference being, that a browser engine is far more complex than a logger)
I remember a time where "Scrach" wasn't a Electron application, but a native (I think?) Linux application. Obv. there can be bugs in dependencies too (rsvg, libpng, etc.) but they different and tend to not be as easily exploitable as these kind of Electron/HTML->V8 bugs are.